Date: Mon, 28 Mar 2005 14:10:38 +0200 From: "Simon L. Nielsen" <simon@FreeBSD.org> To: Gleb Smirnoff <glebius@FreeBSD.org>, freebsd-gnats-submit@freebsd.org, freebsd-bugs@freebsd.org Subject: Re: bin/79260: syslogd may accept illegal facility number from remote. Message-ID: <20050328121037.GA773@zaphod.nitro.dk> In-Reply-To: <20050328102701.GB50980@cell.sick.ru> References: <200503262010.j2QKA5cD024282@freefall.freebsd.org> <20050328102701.GB50980@cell.sick.ru>
next in thread | previous in thread | raw e-mail | index | archive | help
--XsQoSWH+UP9D9v3l Content-Type: text/plain; charset=us-ascii Content-Disposition: inline Content-Transfer-Encoding: quoted-printable On 2005.03.28 14:27:01 +0400, Gleb Smirnoff wrote: > On Sat, Mar 26, 2005 at 08:10:05PM +0000, Simon L. Nielsen wrote: > S> > from remote host. but in struct filed, member variable f_pmask array > S> > and f_pcmp array is limited to LOG_NFACILITIES. therefore syslogd > S> > access invalid address in logmsg() when facility is larger than > S> > LOG_NFACILITIES. > S> =20 > S> Have you looked at what the implications of this is, mainly can you > S> crash syslogd due to this bug? >=20 > No, it is impossible to crash syslogd exploiting this bug. We have a magic > constant 0x3f8, which is anded with facility, so fac can't overflow over = 127. > f_pmask[] and f_pcmp[] fields in struct filed are followed by a big field= f_un, > which is MAXPATHLEN bytes long. That's why we will never read memory outs= ide of > struct filed. OK, great. Thanks for looking into this! --=20 Simon L. Nielsen --XsQoSWH+UP9D9v3l Content-Type: application/pgp-signature Content-Disposition: inline -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.0 (FreeBSD) iD8DBQFCR/Q9h9pcDSc1mlERAsVqAKDLtHUpwyr9Z4dK67W31miVjhGl1gCcCTeN qT5cIaGwQHnXwb7W5jW/nzs= =XlI3 -----END PGP SIGNATURE----- --XsQoSWH+UP9D9v3l--
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?20050328121037.GA773>