From owner-freebsd-bugs  Sun Feb  6 23:29:30 2000
Delivered-To: freebsd-bugs@freebsd.org
Received: from freefall.freebsd.org (freefall.FreeBSD.ORG [204.216.27.21])
	by builder.freebsd.org (Postfix) with ESMTP id 724483E2C
	for <freebsd-bugs@FreeBSD.org>; Sun,  6 Feb 2000 23:29:20 -0800 (PST)
Received: (from gnats@localhost)
	by freefall.freebsd.org (8.9.3/8.9.2) id XAA04528;
	Sun, 6 Feb 2000 23:30:02 -0800 (PST)
	(envelope-from gnats@FreeBSD.org)
Received: from mail.iserlohn.netsurf.de (mail.iserlohn.netsurf.de [194.195.194.253])
	by builder.freebsd.org (Postfix) with ESMTP id 9812C3E9B
	for <FreeBSD-gnats-submit@freebsd.org>; Sun,  6 Feb 2000 23:20:26 -0800 (PST)
Received: from schumann.cx (hennen32s.iserlohn.netsurf.de [194.195.194.226])
	by mail.iserlohn.netsurf.de (8.9.1/8.9.1) with SMTP id IAA32577
	for <FreeBSD-gnats-submit@freebsd.org>; Mon, 7 Feb 2000 08:21:20 +0100
Received: (qmail 7358 invoked from network); 7 Feb 2000 07:21:07 -0000
Received: from unknown (HELO flaubert.foo.bar) (192.168.0.99)
  by guerilla.foo.bar with SMTP; 7 Feb 2000 07:21:07 -0000
Received: (qmail 6914 invoked by uid 500); 7 Feb 2000 07:21:29 -0000
Received: (qmail 6826 invoked from network); 7 Feb 2000 07:16:17 -0000
Received: from guerilla.foo.bar (HELO schumann.cx) (192.168.0.1)
  by flaubert.foo.bar with SMTP; 7 Feb 2000 07:16:17 -0000
Received: (qmail 7208 invoked by alias); 7 Feb 2000 07:15:54 -0000
Received: (qmail 7204 invoked by uid 500); 7 Feb 2000 07:15:54 -0000
Message-Id: <20000207071554.7203.qmail@schumann.cx>
Date: 7 Feb 2000 07:15:54 -0000
From: sascha@schumann.cx
To: FreeBSD-gnats-submit@freebsd.org
Cc: sascha@schumann.cx
X-Send-Pr-Version: 3.2
Subject: kern/16552: appropiate buffer size check
Sender: owner-freebsd-bugs@FreeBSD.ORG
Precedence: bulk
X-Loop: FreeBSD.org


>Number:         16552
>Category:       kern
>Synopsis:       sys/dev/ppbus/pcfclock.c lacks a proper buffer size check
>Confidential:   no
>Severity:       serious
>Priority:       medium
>Responsible:    freebsd-bugs
>State:          open
>Quarter:        
>Keywords:       
>Date-Required:
>Class:          sw-bug
>Submitter-Id:   current-users
>Arrival-Date:   Sun Feb  6 23:30:01 PST 2000
>Closed-Date:
>Last-Modified:
>Originator:     Sascha Schumann
>Release:        FreeBSD 4.0-CURRENT i386
>Organization:
>Environment:

	NA

>Description:

	By passing a too small buffer into pcfclock_read(), an overrun
	can happen.

>How-To-Repeat:

	int fd;
	char buf[3];

	fd = open("/dev/pcfclock0", O_RDONLY);
	read(fd, buf, 3);

>Fix:

--- /usr/src/sys/dev/ppbus/pcfclock.c	Sun Jan 23 15:41:04 2000
+++ pcfclock.c	Sat Jan 29 12:13:38 2000
@@ -311,6 +309,9 @@
 	u_int unit = minor(dev);
 	char buf[18];
 	int error = 0;
+
+	if (uio->uio_resid < 18)
+		return (ERANGE);
 
 	error = pcfclock_read_dev(dev, buf, PCFCLOCK_MAX_RETRIES);
 	

>Release-Note:
>Audit-Trail:
>Unformatted:


To Unsubscribe: send mail to majordomo@FreeBSD.org
with "unsubscribe freebsd-bugs" in the body of the message