From owner-freebsd-hackers@FreeBSD.ORG  Sat Sep  6 13:16:18 2003
Return-Path: <owner-freebsd-hackers@FreeBSD.ORG>
Delivered-To: freebsd-hackers@freebsd.org
Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125])
	by hub.freebsd.org (Postfix) with ESMTP id 0FED916A4BF
	for <hackers@freebsd.org>; Sat,  6 Sep 2003 13:16:18 -0700 (PDT)
Received: from apollo.backplane.com (apollo.backplane.com [216.240.41.2])
	by mx1.FreeBSD.org (Postfix) with ESMTP id 894D543FB1
	for <hackers@freebsd.org>; Sat,  6 Sep 2003 13:16:17 -0700 (PDT)
	(envelope-from dillon@apollo.backplane.com)
Received: from apollo.backplane.com (localhost [127.0.0.1])
	by apollo.backplane.com (8.12.9/8.12.6) with ESMTP id h86KGHVI042417
	for <hackers@freebsd.org>; Sat, 6 Sep 2003 13:16:17 -0700 (PDT)
	(envelope-from dillon@apollo.backplane.com)
Received: (from dillon@localhost)
	by apollo.backplane.com (8.12.9/8.12.6/Submit) id h86KGHgJ042416;
	Sat, 6 Sep 2003 13:16:17 -0700 (PDT)
Date: Sat, 6 Sep 2003 13:16:17 -0700 (PDT)
From: Matthew Dillon <dillon@apollo.backplane.com>
Message-Id: <200309062016.h86KGHgJ042416@apollo.backplane.com>
To: hackers@freebsd.org
Subject: 
	Possible memory overrun and/or MALLOC api violation in getsockaddr()
X-BeenThere: freebsd-hackers@freebsd.org
X-Mailman-Version: 2.1.1
Precedence: list
List-Id: Technical Discussions relating to FreeBSD
	<freebsd-hackers.freebsd.org>
List-Unsubscribe: <http://lists.freebsd.org/mailman/listinfo/freebsd-hackers>,
	<mailto:freebsd-hackers-request@freebsd.org?subject=unsubscribe>
List-Archive: <http://lists.freebsd.org/pipermail/freebsd-hackers>
List-Post: <mailto:freebsd-hackers@freebsd.org>
List-Help: <mailto:freebsd-hackers-request@freebsd.org?subject=help>
List-Subscribe: <http://lists.freebsd.org/mailman/listinfo/freebsd-hackers>,
	<mailto:freebsd-hackers-request@freebsd.org?subject=subscribe>
X-List-Received-Date: Sat, 06 Sep 2003 20:16:18 -0000

    From what I can tell getsockaddr() (kern/uipc_syscalls.c) is called 
    with a user-supplied length as its argument.  It checks for
    len > SOCK_MAXADDRLEN, but it does not check to see if the length is
    too small and it may MALLOC() a structure, 'sa', which is too small
    for the assignment or assignments it then proceeds to do.  e.g.
    'sa->sa_len = len'.  This could potentially assign a field that is
    beyond the malloc'd region.

    In particular, if you create a UNIX domain socket and bind(...) a 
    0-length structure, the malloc function will be called
    with a length of 0 and sa->sa_len will be assigned to the resulting
    memory.

    Now, due to the the way the allocator works there might be a minimum
    allocation anyway (there is in the old malloc, but I am not sure about
    the slab allocator), so this may or may not be a security issue, but it
    definitely looks like a rather serious API violation.

    If I understand sockaddr's properly, the minimum size is going to be
    offsetof(struct sockaddr, sa_data[0]), which is 2 bytes.  A check
    for this minimum should probably be added to getsockaddr().

					-Matt
					Matthew Dillon 
					<dillon@backplane.com>