Date: Mon, 28 Mar 2005 14:27:01 +0400 From: Gleb Smirnoff <glebius@FreeBSD.org> To: "Simon L. Nielsen" <simon@FreeBSD.org> Cc: freebsd-gnats-submit@FreeBSD.org Subject: Re: bin/79260: syslogd may accept illegal facility number from remote. Message-ID: <20050328102701.GB50980@cell.sick.ru> In-Reply-To: <200503262010.j2QKA5cD024282@freefall.freebsd.org> References: <200503262010.j2QKA5cD024282@freefall.freebsd.org>
next in thread | previous in thread | raw e-mail | index | archive | help
On Sat, Mar 26, 2005 at 08:10:05PM +0000, Simon L. Nielsen wrote: S> > from remote host. but in struct filed, member variable f_pmask array S> > and f_pcmp array is limited to LOG_NFACILITIES. therefore syslogd S> > access invalid address in logmsg() when facility is larger than S> > LOG_NFACILITIES. S> S> Have you looked at what the implications of this is, mainly can you S> crash syslogd due to this bug? No, it is impossible to crash syslogd exploiting this bug. We have a magic constant 0x3f8, which is anded with facility, so fac can't overflow over 127. f_pmask[] and f_pcmp[] fields in struct filed are followed by a big field f_un, which is MAXPATHLEN bytes long. That's why we will never read memory outside of struct filed. However, bug is bug, so I'm going to fix it. Thanks, Shuichi! -- Totus tuus, Glebius. GLEBIUS-RIPN GLEB-RIPE
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?20050328102701.GB50980>