From owner-freebsd-bugs@FreeBSD.ORG Mon Mar 28 10:27:07 2005 Return-Path: Delivered-To: freebsd-bugs@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 3817916A4CE; Mon, 28 Mar 2005 10:27:07 +0000 (GMT) Received: from relay.bestcom.ru (relay.bestcom.ru [217.72.144.5]) by mx1.FreeBSD.org (Postfix) with ESMTP id 2705243D48; Mon, 28 Mar 2005 10:27:06 +0000 (GMT) (envelope-from glebius@FreeBSD.org) Received: from cell.sick.ru (root@cell.sick.ru [217.72.144.68]) by relay.bestcom.ru (8.13.1/8.12.9) with ESMTP id j2SAR3KN034566 (version=TLSv1/SSLv3 cipher=DHE-RSA-AES256-SHA bits=256 verify=FAIL); Mon, 28 Mar 2005 14:27:04 +0400 (MSD) (envelope-from glebius@FreeBSD.org) Received: from cell.sick.ru (glebius@localhost [127.0.0.1]) by cell.sick.ru (8.13.1/8.12.8) with ESMTP id j2SAR2vV051263 (version=TLSv1/SSLv3 cipher=DHE-RSA-AES256-SHA bits=256 verify=NO); Mon, 28 Mar 2005 14:27:02 +0400 (MSD) (envelope-from glebius@FreeBSD.org) Received: (from glebius@localhost) by cell.sick.ru (8.13.1/8.13.1/Submit) id j2SAR1V8051262; Mon, 28 Mar 2005 14:27:01 +0400 (MSD) (envelope-from glebius@FreeBSD.org) X-Authentication-Warning: cell.sick.ru: glebius set sender to glebius@FreeBSD.org using -f Date: Mon, 28 Mar 2005 14:27:01 +0400 From: Gleb Smirnoff To: "Simon L. Nielsen" Message-ID: <20050328102701.GB50980@cell.sick.ru> Mail-Followup-To: Gleb Smirnoff , "Simon L. Nielsen" , freebsd-gnats-submit@freebsd.org, freebsd-bugs@freebsd.org References: <200503262010.j2QKA5cD024282@freefall.freebsd.org> Mime-Version: 1.0 Content-Type: text/plain; charset=koi8-r Content-Disposition: inline In-Reply-To: <200503262010.j2QKA5cD024282@freefall.freebsd.org> User-Agent: Mutt/1.5.6i X-Virus-Scanned: ClamAV version devel-20050125, clamav-milter version 0.80ff on relay.bestcom.ru X-Virus-Status: Clean cc: freebsd-bugs@FreeBSD.org cc: freebsd-gnats-submit@FreeBSD.org Subject: Re: bin/79260: syslogd may accept illegal facility number from remote. X-BeenThere: freebsd-bugs@freebsd.org X-Mailman-Version: 2.1.1 Precedence: list List-Id: Bug reports List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Mon, 28 Mar 2005 10:27:07 -0000 On Sat, Mar 26, 2005 at 08:10:05PM +0000, Simon L. Nielsen wrote: S> > from remote host. but in struct filed, member variable f_pmask array S> > and f_pcmp array is limited to LOG_NFACILITIES. therefore syslogd S> > access invalid address in logmsg() when facility is larger than S> > LOG_NFACILITIES. S> S> Have you looked at what the implications of this is, mainly can you S> crash syslogd due to this bug? No, it is impossible to crash syslogd exploiting this bug. We have a magic constant 0x3f8, which is anded with facility, so fac can't overflow over 127. f_pmask[] and f_pcmp[] fields in struct filed are followed by a big field f_un, which is MAXPATHLEN bytes long. That's why we will never read memory outside of struct filed. However, bug is bug, so I'm going to fix it. Thanks, Shuichi! -- Totus tuus, Glebius. GLEBIUS-RIPN GLEB-RIPE