Date: Thu, 25 Mar 1999 12:40:02 -0800 (PST) From: futatuki@fureai.or.jp (Yasuhito FUTATSUKI) To: freebsd-bugs@FreeBSD.org Subject: Re: kern/10765: buffer over run on msgrcv() system call Message-ID: <199903252040.MAA63044@freefall.freebsd.org>
next in thread | raw e-mail | index | archive | help
The following reply was made to PR kern/10765; it has been noted by GNATS.
From: futatuki@fureai.or.jp (Yasuhito FUTATSUKI)
To: FreeBSD-gnats-submit@freebsd.org
Cc: futatuki@fureai.or.jp
Subject: Re: kern/10765: buffer over run on msgrcv() system call
Date: Fri, 26 Mar 1999 05:34:05 +0900 (JST)
Correct some typo, careless mistakes.
> >Description:
>
> msgrcv(msqid, msgp, msgsz, msgtyp, msgflg) copies larger size of
> sage data than specified in msgsz when
^^^^
message
> 1. msgsz is larger than `msgssz', and
> 2. msgsz is not multiples of `msgssz'
>
> where msgssz is the size of message segment in bytes, which is
> specified in kernel configration option MSGSSZ, the default is 8.
>
> >How-To-Repeat:
>
> Assume msgssz is 8, message que of id msgid is accessable,
> a message of type msgtyp and size 20 bytes was sent, then
>
> struct {
> long mtype;
> char mtext[20];
> long some_data;
> } mymsg;
>
> msgrcv(msqid, (void*)mymsg, 20, msgtyp, 0);
msgrcv(msqid, (void*)&mymsg, 20, msgtyp, 0);
> will crash mymsg.some_data .
> > Fix:
I verified with
$Id: sysv_msg.c,v 1.18 1998/03/30 09:50:35 phk Exp $ (for 3.x) and
$Id: sysv_msg.c,v 1.13 1996/08/31 14:47:57 bde Exp $ (for 2.2.x).
As I read
$Id: sysv_msg.c,v 1.19 1999/01/30 12:21:48 phk Exp $ (for 4.0) ,
I think 4.0-CURRENT has same problem and the patch can be applied also.
-- Yasuhito FUTATSUKI
To Unsubscribe: send mail to majordomo@FreeBSD.org
with "unsubscribe freebsd-bugs" in the body of the message
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?199903252040.MAA63044>