Date: Sat, 6 Sep 2003 13:16:17 -0700 (PDT) From: Matthew Dillon <dillon@apollo.backplane.com> To: hackers@freebsd.org Subject: Possible memory overrun and/or MALLOC api violation in getsockaddr() Message-ID: <200309062016.h86KGHgJ042416@apollo.backplane.com>
next in thread | raw e-mail | index | archive | help
From what I can tell getsockaddr() (kern/uipc_syscalls.c) is called with a user-supplied length as its argument. It checks for len > SOCK_MAXADDRLEN, but it does not check to see if the length is too small and it may MALLOC() a structure, 'sa', which is too small for the assignment or assignments it then proceeds to do. e.g. 'sa->sa_len = len'. This could potentially assign a field that is beyond the malloc'd region. In particular, if you create a UNIX domain socket and bind(...) a 0-length structure, the malloc function will be called with a length of 0 and sa->sa_len will be assigned to the resulting memory. Now, due to the the way the allocator works there might be a minimum allocation anyway (there is in the old malloc, but I am not sure about the slab allocator), so this may or may not be a security issue, but it definitely looks like a rather serious API violation. If I understand sockaddr's properly, the minimum size is going to be offsetof(struct sockaddr, sa_data[0]), which is 2 bytes. A check for this minimum should probably be added to getsockaddr(). -Matt Matthew Dillon <dillon@backplane.com>
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?200309062016.h86KGHgJ042416>