Date: Fri, 8 Nov 1996 04:32:12 -0800 From: Don Lewis <Don.Lewis@tsc.tdk.com> To: "Jordan K. Hubbard" <jkh@time.cdrom.com>, Don Lewis <Don.Lewis@tsc.tdk.com> Cc: stable@freebsd.org Subject: Re: The curtain is going down on 2.1-stable in 5 days! Message-ID: <199611081232.EAA20373@salsa.gv.ssi1.com> In-Reply-To: "Jordan K. Hubbard" <jkh@time.cdrom.com> "Re: The curtain is going down on 2.1-stable in 5 days!" (Nov 8, 4:11am)
next in thread | previous in thread | raw e-mail | index | archive | help
On Nov 8, 4:11am, "Jordan K. Hubbard" wrote:
} Subject: Re: The curtain is going down on 2.1-stable in 5 days!
} > their network interfaces. The de driver swiped from from -current
} > a few weeks ago and butchered so that compiles under -stable seems
} > to work perfectly. Judging by some of the comments in that version
}
} Could you elaborate on "butchered" a bit here? :-) I believe that
} David's still responsible for the de driver, so if any merging is
} to be done then he's the guy to talk to about it.
It's mostly things like what include files are pulled in. That kind
of stuff seems to have changed between the 2.1 branch and the 2.2 branch.
It looks like 2.1 also doesn't have ether_ioctl(), so I put in the code
from the -stable driver. Unfortunately, I don't seem can't seem to find
an unhacked version of the driver, but here's a diff between the latest
version in current and my hacked version (which still has one compiler
warning):
*** if_de.c Tue Oct 15 16:15:13 1996
--- hacked_de.c Fri Nov 8 04:22:30 1996
***************
*** 21,27 ****
* (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF
* THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
*
! * $Id: if_de.c,v 1.54 1996/10/15 19:22:39 bde Exp $
*
*/
--- 21,27 ----
* (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF
* THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
*
! * $Id: if_de.c,v 1.52 1996/09/20 04:35:15 davidg Exp $
*
*/
***************
*** 35,40 ****
--- 35,45 ----
* board which support DC21040, DC21041, or DC21140 (mostly).
*/
+ #if defined(__FreeBSD__)
+ #include "de.h"
+ #endif
+ #if NDE > 0 || !defined(__FreeBSD__)
+
#include <sys/param.h>
#include <sys/systm.h>
#include <sys/mbuf.h>
***************
*** 46,51 ****
--- 51,57 ----
#include <sys/kernel.h>
#include <sys/proc.h> /* only for declaration of wakeup() used by vm.h */
#if defined(__FreeBSD__)
+ #include <sys/devconf.h>
#include <machine/clock.h>
#elif defined(__bsdi__) || defined(__NetBSD__)
#include <sys/device.h>
***************
*** 52,60 ****
#endif
#include <net/if.h>
- #include <net/if_dl.h>
- #include <net/if_mib.h>
#include <net/if_types.h>
#include <net/route.h>
#include <net/netisr.h>
--- 58,65 ----
#endif
#include <net/if.h>
#include <net/if_types.h>
+ #include <net/if_dl.h>
#include <net/route.h>
#include <net/netisr.h>
***************
*** 82,89 ****
#include <vm/vm_kern.h>
#if defined(__FreeBSD__)
! #include <vm/pmap.h>
! #include "pci.h"
#if NPCI > 0
#include <pci/pcivar.h>
#include <pci/dc21040.h>
--- 87,93 ----
#include <vm/vm_kern.h>
#if defined(__FreeBSD__)
! #include <pci.h>
#if NPCI > 0
#include <pci/pcivar.h>
#include <pci/dc21040.h>
***************
*** 520,526 ****
#endif
struct ifqueue tulip_txq;
struct ifqueue tulip_rxq;
! struct ifmib_iso_8802_3 tulip_dot3stats;
tulip_ringinfo_t tulip_rxinfo;
tulip_ringinfo_t tulip_txinfo;
tulip_desc_t tulip_rxdescs[TULIP_RXDESCS];
--- 524,530 ----
#endif
struct ifqueue tulip_txq;
struct ifqueue tulip_rxq;
! tulip_dot3_stats_t tulip_dot3stats;
tulip_ringinfo_t tulip_rxinfo;
tulip_ringinfo_t tulip_txinfo;
tulip_desc_t tulip_rxdescs[TULIP_RXDESCS];
***************
*** 540,552 ****
"DC21142 [10-100Mb/s]",
};
- #define chip(x) DOT3CHIPSET(dot3VendorDigital, dot3ChipSetDigital##x)
- static u_int32_t const tulip_chip2mib[] = {
- chip(DC21040), chip(DC21040), chip(DC21041), chip(DC21140),
- chip(DC21140A), chip(DC21142)
- };
- #undef chip
-
static const char * const tulip_mediums[] = {
"unknown", /* TULIP_MEDIA_UNKNOWN */
"10baseT", /* TULIP_MEDIA_10BASET */
--- 544,549 ----
***************
*** 3320,3325 ****
--- 3317,3323 ----
caddr_t data)
{
tulip_softc_t * const sc = TULIP_IFP_TO_SOFTC(ifp);
+ struct ifaddr *ifa = (struct ifaddr *) data;
struct ifreq *ifr = (struct ifreq *) data;
tulip_spl_t s;
int error = 0;
***************
*** 3330,3339 ****
s = splimp();
#endif
switch (cmd) {
! case SIOCSIFADDR:
! case SIOCGIFADDR:
! ether_ioctl(ifp, cmd, data);
break;
case SIOCSIFFLAGS: {
/*
--- 3328,3385 ----
s = splimp();
#endif
switch (cmd) {
! case SIOCSIFADDR: {
!
! ifp->if_flags |= IFF_UP;
! switch(ifa->ifa_addr->sa_family) {
! #ifdef INET
! case AF_INET: {
! sc->tulip_ac.ac_ipaddr = IA_SIN(ifa)->sin_addr;
! tulip_init(sc);
! #if defined(__FreeBSD__) || defined(__NetBSD__)
! arp_ifinit(&sc->tulip_ac, ifa);
! #elif defined(__bsdi__)
! arpwhohas(&sc->tulip_ac, &IA_SIN(ifa)->sin_addr);
! #endif
! break;
! }
! #endif /* INET */
!
! #ifdef NS
! /*
! * This magic copied from if_is.c; I don't use XNS,
! * so I have no way of telling if this actually
! * works or not.
! */
! case AF_NS: {
! struct ns_addr *ina = &(IA_SNS(ifa)->sns_addr);
! if (ns_nullhost(*ina)) {
! ina->x_host = *(union ns_host *)(sc->tulip_ac.ac_enaddr);
! } else {
! ifp->if_flags &= ~IFF_RUNNING;
! bcopy((caddr_t)ina->x_host.c_host,
! (caddr_t)sc->tulip_ac.ac_enaddr,
! sizeof sc->tulip_ac.ac_enaddr);
! }
!
! tulip_init(sc);
! break;
! }
! #endif /* NS */
!
! default: {
! tulip_init(sc);
! break;
! }
! }
break;
+ }
+ case SIOCGIFADDR: {
+ bcopy((caddr_t) sc->tulip_ac.ac_enaddr,
+ (caddr_t) ((struct sockaddr *)&ifr->ifr_data)->sa_data,
+ 6);
+ break;
+ }
case SIOCSIFFLAGS: {
/*
***************
*** 3743,3749 ****
ifp->if_ioctl = tulip_ifioctl;
ifp->if_start = tulip_ifstart;
ifp->if_watchdog = tulip_ifwatchdog;
! ifp->if_init = (if_init_f_t*)tulip_init;
ifp->if_timer = 1;
#if !defined(__bsdi__) || _BSDI_VERSION < 199401
ifp->if_output = ether_output;
--- 3789,3795 ----
ifp->if_ioctl = tulip_ifioctl;
ifp->if_start = tulip_ifstart;
ifp->if_watchdog = tulip_ifwatchdog;
! ifp->if_init = tulip_init;
ifp->if_timer = 1;
#if !defined(__bsdi__) || _BSDI_VERSION < 199401
ifp->if_output = ether_output;
***************
*** 3779,3787 ****
TULIP_EADDR_ARGS(sc->tulip_hwaddr));
#endif
- sc->tulip_dot3stats.dot3Compliance = DOT3COMPLIANCE_STATS;
- sc->tulip_dot3stats.dot3StatsEtherChipSet =
- tulip_chip2mib[sc->tulip_chipid];
if (sc->tulip_boardsw->bd_mii_probe != NULL)
(*sc->tulip_boardsw->bd_mii_probe)(sc);
--- 3825,3830 ----
***************
*** 3796,3804 ****
tulip_reset(sc);
sc->tulip_flags &= ~TULIP_DEVICEPROBE;
- ifp->if_linkmib = &sc->tulip_dot3stats;
- ifp->if_linkmiblen = sizeof sc->tulip_dot3stats;
-
#if defined(__bsdi__) && _BSDI_VERSION >= 199510
sc->tulip_pf = printf;
ether_attach(ifp);
--- 3839,3844 ----
***************
*** 4372,4378 ****
return;
}
}
- at_shutdown(tulip_shutdown, sc, SHUTDOWN_POST_SYNC);
#endif
#if defined(__bsdi__)
if ((sc->tulip_flags & TULIP_SLAVEDINTR) == 0) {
--- 4412,4417 ----
***************
*** 4408,4410 ****
--- 4447,4450 ----
splx(s);
}
}
+ #endif /* NDE > 0 */
} I'll look for the rwhod fix, though if you've got a more exact pointer
} that would help.
Ok, here it is:
On Nov 3, 9:16pm, Warner Losh wrote:
} Subject: Re: rwhod buffer overflow bug
} In message <199611010236.SAA05376@salsa.gv.ssi1.com> Don Lewis writes:
} : The wd_hostname buffer overflow bug in rwhod that came to light a couple
} : months ago appears to have been fixed in -current, but the fix never
} : seems to have been made to -stable.
}
} Guido beat me to the punch on this one. Here's his patch that you can
} test. We plan on committing it to -stable soon.
}
} Warner
}
} From: Guido van Rooij <guido@gvr.win.tue.nl>
} Subject: Re: rwhod buffer overflow bug
} To: imp@village.org (Warner Losh)
} Date: Sun, 3 Nov 1996 20:50:22 +0100 (MET)
} X-Mailer: ELM [version 2.4ME+ PL28 (25)]
} MIME-Version: 1.0
} Content-Type: text/plain; charset=US-ASCII
} Content-Transfer-Encoding: 7bit
}
} Warner Losh wrote:
} > In message <199611010236.SAA05376@salsa.gv.ssi1.com> Don Lewis writes:
} > : The wd_hostname buffer overflow bug in rwhod that came to light a couple
} > : months ago appears to have been fixed in -current, but the fix never
} > : seems to have been made to -stable.
} >
} > I can do the CVS legwork if someone has a -stable system to test it
} > on.
} >
} > Warner
} >
} > P.S. I just noticed and fixed two minor buffer related problems in
} > rwhod.c that I happened to notice as I was looking at this code. Yow!
} >
}
} Underneath the complete patch. It works on mu 2.1.5 system.
} Don't be scared bu the master.passwd change. It didnt seem to bother
} anyone in current at the time and it makes real sense ;-)
} Please review it. I can commit it but please mail back if you wnat
} me to.
}
} -Guido
}
} --- etc/master.passwd.orig Sun Nov 3 20:43:22 1996
} +++ etc/master.passwd Sun Nov 3 20:43:50 1996
} @@ -1,6 +1,6 @@
} root::0:0::0:0:Charlie &:/root:/bin/csh
} toor:*:0:0::0:0:Bourne-again Superuser:/root:
} -daemon:*:1:31::0:0:Owner of many system processes:/root:
} +daemon:*:1:1::0:0:Owner of many system processes:/root:
} operator:*:2:20::0:0:System &:/usr/guest/operator:/bin/csh
} bin:*:3:7::0:0:Binaries Commands and Source,,,:/:/nonexistent
} games:*:7:13::0:0:Games pseudo-user:/usr/games:
} --- etc/mtree/BSD.var.dist.orig Mon Jun 17 11:17:40 1996
} +++ etc/mtree/BSD.var.dist Sun Nov 3 20:21:00 1996
} @@ -40,7 +40,7 @@
} ..
} run uname=bin
} ..
} - rwho uname=bin
} + rwho uname=bin gname=daemon mode=0775
} ..
} /set type=dir uname=uucp gname=daemon mode=0755
} spool uname=bin gname=bin
} --- usr.sbin/rwhod/rwhod.c.orig Thu May 26 07:22:40 1994
} +++ usr.sbin/rwhod/rwhod.c Sun Nov 3 20:44:16 1996
} @@ -65,6 +65,10 @@
} #include <syslog.h>
} #include <unistd.h>
} #include <utmp.h>
} +#include <pwd.h>
} +
} +#define UNPRIV_USER "daemon"
} +#define UNPRIV_GROUP "daemon"
}
} /*
} * Alarm interval. Don't forget to change the down time check in ruptime
} @@ -94,15 +98,17 @@
}
} #define WHDRSIZE (sizeof(mywd) - sizeof(mywd.wd_we))
}
} +void run_as __P((uid_t *, gid_t *));
} int configure __P((int));
} void getboottime __P((int));
} void onalrm __P((int));
} void quit __P((char *));
} void rt_xaddrs __P((caddr_t, caddr_t, struct rt_addrinfo *));
} -int verify __P((char *));
} +int verify __P((char *, int));
} #ifdef DEBUG
} char *interval __P((int, char *));
} -void Sendto __P((int, char *, int, int, char *, int));
} +void Sendto __P((int, const void *, size_t, int,
} + const struct sockaddr *, int));
} #define sendto Sendto
} #endif
}
} @@ -117,11 +123,16 @@
} int on = 1;
} char *cp;
} struct sockaddr_in sin;
} + uid_t unpriv_uid;
} + gid_t unpriv_gid;
}
} if (getuid()) {
} fprintf(stderr, "rwhod: not super user\n");
} exit(1);
} }
} +
} + run_as(&unpriv_uid, &unpriv_gid);
} +
} sp = getservbyname("who", "udp");
} if (sp == NULL) {
} fprintf(stderr, "rwhod: udp/who: unknown service\n");
} @@ -146,7 +157,8 @@
} }
} if ((cp = index(myname, '.')) != NULL)
} *cp = '\0';
} - strncpy(mywd.wd_hostname, myname, sizeof(myname) - 1);
} + strncpy(mywd.wd_hostname, myname, sizeof(mywd.wd_hostname) - 1);
} + mywd.wd_hostname[sizeof(mywd.wd_hostname) - 1] = '\0';
} utmpf = open(_PATH_UTMP, O_RDONLY|O_CREAT, 0644);
} if (utmpf < 0) {
} syslog(LOG_ERR, "%s: %m", _PATH_UTMP);
} @@ -168,6 +180,8 @@
} syslog(LOG_ERR, "bind: %m");
} exit(1);
} }
} + setgid(unpriv_gid);
} + setuid(unpriv_uid);
} if (!configure(s))
} exit(1);
} signal(SIGALRM, onalrm);
} @@ -192,7 +206,7 @@
} continue;
} if (wd.wd_type != WHODTYPE_STATUS)
} continue;
} - if (!verify(wd.wd_hostname)) {
} + if (!verify(wd.wd_hostname, sizeof wd.wd_hostname)) {
} syslog(LOG_WARNING, "malformed host name from %x",
} from.sin_addr);
} continue;
} @@ -234,22 +248,47 @@
} }
} }
}
} +
} +void
} +run_as(uid, gid)
} + uid_t *uid;
} + gid_t *gid;
} +{
} + struct passwd *pw;
} +
} + pw = getpwnam(UNPRIV_USER);
} + if (!pw) {
} + syslog(LOG_ERR, "getpwnam(%s): %m", UNPRIV_USER);
} + exit(1);
} + }
} + *uid = pw->pw_uid;
} +
} + pw = getpwnam(UNPRIV_GROUP);
} + if (!pw) {
} + syslog(LOG_ERR, "getpwnam(%s): %m", UNPRIV_GROUP);
} + exit(1);
} + }
} + *gid = pw->pw_gid;
} +}
} +
} /*
} * Check out host name for unprintables
} * and other funnies before allowing a file
} * to be created. Sorry, but blanks aren't allowed.
} */
} int
} -verify(name)
} +verify(name, maxlen)
} register char *name;
} + register int maxlen;
} {
} register int size = 0;
}
} - while (*name) {
} + while (*name && size < maxlen - 1) {
} if (!isascii(*name) || !(isalnum(*name) || ispunct(*name)))
} return (0);
} name++, size++;
} }
} + *name = '\0';
} return (size > 0);
} }
}
} @@ -477,16 +516,18 @@
} void
} Sendto(s, buf, cc, flags, to, tolen)
} int s;
} - char *buf;
} - int cc, flags;
} - char *to;
} + const void *buf;
} + size_t cc;
} + int flags;
} + const struct sockaddr *to;
} int tolen;
} {
} register struct whod *w = (struct whod *)buf;
} register struct whoent *we;
} struct sockaddr_in *sin = (struct sockaddr_in *)to;
}
} - printf("sendto %x.%d\n", ntohl(sin->sin_addr), ntohs(sin->sin_port));
} + printf("sendto %x.%d\n", ntohl(sin->sin_addr.s_addr),
} + ntohs(sin->sin_port));
} printf("hostname %s %s\n", w->wd_hostname,
} interval(ntohl(w->wd_sendtime) - ntohl(w->wd_boottime), " up"));
} printf("load %4.2f, %4.2f, %4.2f\n",
}
}-- End of excerpt from Warner Losh
--- Truck
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?199611081232.EAA20373>