Date: Sat, 6 Sep 2003 13:16:17 -0700 (PDT) From: Matthew Dillon <dillon@apollo.backplane.com> To: hackers@freebsd.org Subject: Possible memory overrun and/or MALLOC api violation in getsockaddr() Message-ID: <200309062016.h86KGHgJ042416@apollo.backplane.com>
next in thread | raw e-mail | index | archive | help
From what I can tell getsockaddr() (kern/uipc_syscalls.c) is called
with a user-supplied length as its argument. It checks for
len > SOCK_MAXADDRLEN, but it does not check to see if the length is
too small and it may MALLOC() a structure, 'sa', which is too small
for the assignment or assignments it then proceeds to do. e.g.
'sa->sa_len = len'. This could potentially assign a field that is
beyond the malloc'd region.
In particular, if you create a UNIX domain socket and bind(...) a
0-length structure, the malloc function will be called
with a length of 0 and sa->sa_len will be assigned to the resulting
memory.
Now, due to the the way the allocator works there might be a minimum
allocation anyway (there is in the old malloc, but I am not sure about
the slab allocator), so this may or may not be a security issue, but it
definitely looks like a rather serious API violation.
If I understand sockaddr's properly, the minimum size is going to be
offsetof(struct sockaddr, sa_data[0]), which is 2 bytes. A check
for this minimum should probably be added to getsockaddr().
-Matt
Matthew Dillon
<dillon@backplane.com>
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?200309062016.h86KGHgJ042416>