From owner-freebsd-bugs@FreeBSD.ORG  Mon Mar 28 12:10:40 2005
Return-Path: <owner-freebsd-bugs@FreeBSD.ORG>
Delivered-To: freebsd-bugs@freebsd.org
Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125])
	by hub.freebsd.org (Postfix) with ESMTP
	id 9B02B16A4CE; Mon, 28 Mar 2005 12:10:40 +0000 (GMT)
Received: from zaphod.nitro.dk (port324.ds1-khk.adsl.cybercity.dk
	[212.242.113.79])	by mx1.FreeBSD.org (Postfix) with ESMTP
	id 0258043D2D; Mon, 28 Mar 2005 12:10:40 +0000 (GMT)
	(envelope-from simon@zaphod.nitro.dk)
Received: by zaphod.nitro.dk (Postfix, from userid 3000)
	id 615151210B; Mon, 28 Mar 2005 14:10:38 +0200 (CEST)
Date: Mon, 28 Mar 2005 14:10:38 +0200
From: "Simon L. Nielsen" <simon@FreeBSD.org>
To: Gleb Smirnoff <glebius@FreeBSD.org>,
	freebsd-gnats-submit@freebsd.org, freebsd-bugs@freebsd.org
Message-ID: <20050328121037.GA773@zaphod.nitro.dk>
References: <200503262010.j2QKA5cD024282@freefall.freebsd.org>
	<20050328102701.GB50980@cell.sick.ru>
Mime-Version: 1.0
Content-Type: multipart/signed; micalg=pgp-sha1;
	protocol="application/pgp-signature"; boundary="XsQoSWH+UP9D9v3l"
Content-Disposition: inline
In-Reply-To: <20050328102701.GB50980@cell.sick.ru>
User-Agent: Mutt/1.5.9i
Subject: Re: bin/79260: syslogd may accept illegal facility number from
	remote.
X-BeenThere: freebsd-bugs@freebsd.org
X-Mailman-Version: 2.1.1
Precedence: list
List-Id: Bug reports <freebsd-bugs.freebsd.org>
List-Unsubscribe: <http://lists.freebsd.org/mailman/listinfo/freebsd-bugs>,
	<mailto:freebsd-bugs-request@freebsd.org?subject=unsubscribe>
List-Archive: <http://lists.freebsd.org/pipermail/freebsd-bugs>
List-Post: <mailto:freebsd-bugs@freebsd.org>
List-Help: <mailto:freebsd-bugs-request@freebsd.org?subject=help>
List-Subscribe: <http://lists.freebsd.org/mailman/listinfo/freebsd-bugs>,
	<mailto:freebsd-bugs-request@freebsd.org?subject=subscribe>
X-List-Received-Date: Mon, 28 Mar 2005 12:10:40 -0000


--XsQoSWH+UP9D9v3l
Content-Type: text/plain; charset=us-ascii
Content-Disposition: inline
Content-Transfer-Encoding: quoted-printable

On 2005.03.28 14:27:01 +0400, Gleb Smirnoff wrote:
> On Sat, Mar 26, 2005 at 08:10:05PM +0000, Simon L. Nielsen wrote:
> S>  > from remote host. but in struct filed, member variable f_pmask array
> S>  > and f_pcmp array is limited to LOG_NFACILITIES. therefore syslogd
> S>  > access invalid address in logmsg() when facility is larger than
> S>  > LOG_NFACILITIES.
> S> =20
> S>  Have you looked at what the implications of this is, mainly can you
> S>  crash syslogd due to this bug?
>=20
> No, it is impossible to crash syslogd exploiting this bug. We have a magic
> constant 0x3f8, which is anded with facility, so fac can't overflow over =
127.
> f_pmask[] and f_pcmp[] fields in struct filed are followed by a big field=
 f_un,
> which is MAXPATHLEN bytes long. That's why we will never read memory outs=
ide of
> struct filed.

OK, great.  Thanks for looking into this!

--=20
Simon L. Nielsen

--XsQoSWH+UP9D9v3l
Content-Type: application/pgp-signature
Content-Disposition: inline

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.0 (FreeBSD)

iD8DBQFCR/Q9h9pcDSc1mlERAsVqAKDLtHUpwyr9Z4dK67W31miVjhGl1gCcCTeN
qT5cIaGwQHnXwb7W5jW/nzs=
=XlI3
-----END PGP SIGNATURE-----

--XsQoSWH+UP9D9v3l--