Date: Thu, 25 Mar 1999 12:40:02 -0800 (PST) From: futatuki@fureai.or.jp (Yasuhito FUTATSUKI) To: freebsd-bugs@FreeBSD.org Subject: Re: kern/10765: buffer over run on msgrcv() system call Message-ID: <199903252040.MAA63044@freefall.freebsd.org>
next in thread | raw e-mail | index | archive | help
The following reply was made to PR kern/10765; it has been noted by GNATS. From: futatuki@fureai.or.jp (Yasuhito FUTATSUKI) To: FreeBSD-gnats-submit@freebsd.org Cc: futatuki@fureai.or.jp Subject: Re: kern/10765: buffer over run on msgrcv() system call Date: Fri, 26 Mar 1999 05:34:05 +0900 (JST) Correct some typo, careless mistakes. > >Description: > > msgrcv(msqid, msgp, msgsz, msgtyp, msgflg) copies larger size of > sage data than specified in msgsz when ^^^^ message > 1. msgsz is larger than `msgssz', and > 2. msgsz is not multiples of `msgssz' > > where msgssz is the size of message segment in bytes, which is > specified in kernel configration option MSGSSZ, the default is 8. > > >How-To-Repeat: > > Assume msgssz is 8, message que of id msgid is accessable, > a message of type msgtyp and size 20 bytes was sent, then > > struct { > long mtype; > char mtext[20]; > long some_data; > } mymsg; > > msgrcv(msqid, (void*)mymsg, 20, msgtyp, 0); msgrcv(msqid, (void*)&mymsg, 20, msgtyp, 0); > will crash mymsg.some_data . > > Fix: I verified with $Id: sysv_msg.c,v 1.18 1998/03/30 09:50:35 phk Exp $ (for 3.x) and $Id: sysv_msg.c,v 1.13 1996/08/31 14:47:57 bde Exp $ (for 2.2.x). As I read $Id: sysv_msg.c,v 1.19 1999/01/30 12:21:48 phk Exp $ (for 4.0) , I think 4.0-CURRENT has same problem and the patch can be applied also. -- Yasuhito FUTATSUKI To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-bugs" in the body of the message
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?199903252040.MAA63044>