Date: Mon, 13 Mar 2000 20:33:38 +0900 From: Seigo Tanimura <tanimura@r.dl.itc.u-tokyo.ac.jp> To: freebsd-hackers@freebsd.org Cc: Seigo Tanimura <tanimura@r.dl.itc.u-tokyo.ac.jp> Subject: buffer overflow in rtm_type_name() of routed(8) Message-ID: <14540.53778.434837.9786L@rina.r.dl.itc.u-tokyo.ac.jp>
next in thread | raw e-mail | index | archive | help
--Multipart_Mon_Mar_13_20:33:38_2000-1 Content-Type: text/plain; charset=US-ASCII I had been experiencing routed(8) dumping core in about five minutes after rebooting my box for several months. A string buffer in rtm_type_name() of src/sbin/routed/table.c was overrun if the string appropriate to the argument of rtm_type_name() was not found. The router is a box running Solaris 2.6. The following patch should fix this problem. With this patch routed(8) in my box is running just fine for more than two days. --Multipart_Mon_Mar_13_20:33:38_2000-1 Content-Type: text/plain; type=patch; charset=US-ASCII Content-Disposition: attachment; filename="table.c.diff" Content-Transfer-Encoding: 7bit --- table.c.org Fri Sep 17 03:50:10 1999 +++ table.c Sat Mar 11 15:03:09 2000 @@ -617,6 +617,7 @@ } +#define NAME0_LEN 14 static const char * rtm_type_name(u_char type) { @@ -636,12 +637,12 @@ "RTM_DELADDR", "RTM_IFINFO" }; - static char name0[10]; + static char name0[NAME0_LEN]; if (type > sizeof(rtm_types)/sizeof(rtm_types[0]) || type == 0) { - sprintf(name0, "RTM type %#x", type); + snprintf(name0, NAME0_LEN, "RTM type %#x", type); return name0; } else { return rtm_types[type-1]; --Multipart_Mon_Mar_13_20:33:38_2000-1 Content-Type: text/plain; charset=US-ASCII -- Seigo Tanimura <tanimura@r.dl.itc.u-tokyo.ac.jp> <tanimura@FreeBSD.org> --Multipart_Mon_Mar_13_20:33:38_2000-1-- To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-hackers" in the body of the message
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?14540.53778.434837.9786L>