Date: Mon, 8 Dec 1997 13:22:30 -0500 (EST) From: "Gregory D. Moncreaff" <moncrg@bt340707.res.ray.com> To: FreeBSD-gnats-submit@FreeBSD.ORG Subject: bin/5256: netstat sockaddr bogon Message-ID: <199712081822.NAA13280@bt340707.res.ray.com> Resent-Message-ID: <199712090110.RAA07952@hub.freebsd.org>
next in thread | raw e-mail | index | archive | help
>Number: 5256
>Category: bin
>Synopsis: netstat sockaddr bogon
>Confidential: no
>Severity: serious
>Priority: medium
>Responsible: freebsd-bugs
>State: open
>Class: sw-bug
>Submitter-Id: current-users
>Arrival-Date: Mon Dec 8 17:10:02 PST 1997
>Last-Modified:
>Originator: Gregory D. Moncreaff
>Organization:
RES
>Release: FreeBSD 2.2.5-RELEASE i386
>Environment:
>Description:
truncates info in sockaddr* between kgetsa and p_sockaddr
by dereferencing pointer to smaller structure
>How-To-Repeat:
only visiable with larger sockaddrs (I'm working with resurrected
netiso code)
>Fix:
diffs to netstat/route.c:
101c101,102
< typedef union {
---
>
> static union {
104,106c105
< } sa_u;
<
< static sa_u pt_u;
---
> } pt_u;
509c508
< sa_u addr, mask;
---
> struct sockaddr addr, mask;
517,524c516,523
< bzero(&addr, sizeof addr);
< if ((sa = kgetsa(rt_key(rt))))
< bcopy(sa,&addr,sa->sa_len);
<
< bzero(&mask, sizeof mask);
< if (rt_mask(rt) && (sa = kgetsa(rt_mask(rt))))
< bcopy(sa,&mask,sa->sa_len);
<
---
> if (!(sa = kgetsa(rt_key(rt))))
> bzero(&addr, sizeof addr);
> else
> addr = *sa;
> if (!rt_mask(rt) || !(sa = kgetsa(rt_mask(rt))))
> bzero(&mask, sizeof mask);
> else
> mask = *sa;
>Audit-Trail:
>Unformatted:
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?199712081822.NAA13280>