Date: Tue, 27 Sep 2005 20:15:42 GMT From: Stephen Hurd <shurd@sasktel.net> To: freebsd-gnats-submit@FreeBSD.org Subject: misc/86647: natd copy to limied buffer size without checking range Message-ID: <200509272015.j8RKFgeQ021126@www.freebsd.org> Resent-Message-ID: <200509272020.j8RKKMSA003833@freefall.freebsd.org>
next in thread | raw e-mail | index | archive | help
>Number: 86647
>Category: misc
>Synopsis: natd copy to limied buffer size without checking range
>Confidential: no
>Severity: non-critical
>Priority: low
>Responsible: freebsd-bugs
>State: open
>Quarter:
>Keywords:
>Date-Required:
>Class: sw-bug
>Submitter-Id: current-users
>Arrival-Date: Tue Sep 27 20:20:22 GMT 2005
>Closed-Date:
>Last-Modified:
>Originator: Stephen Hurd
>Release: 5.3-RELEASE
>Organization:
>Environment:
FreeBSD fw.bbsdev.net 5.3-RELEASE FreeBSD 5.3-RELEASE #4: Fri Sep 2 14:31:49 CST 2005 admin@fw.bbsdev.net:/usr/src/sys/i386/compile/FW i386
>Description:
In Setup*Redirect() in natd.c, the params are copied to a fixed-length buffer using strlcpy() then parsed. For large round-robin redirects, 128 is occasionally not enough bytes. natd currently truncates the arguments to 128 bytes and then parses. For a redirect_port such as this:
"redirect_port tcp 192.168.0.13:30023,192.168.0.1:30023,192.168.0.7:30023,192.168.0.12:30023,192.168.0.9:30023,192.168.0.4:3002
3 142.165.59.203:telnet"
This truncates to an invalid line without a message to that effect.
>How-To-Repeat:
Add a redirect_* line to a natd config file (or on command-line) with more that 128 chars in the params.
>Fix:
use strdup() to copy the params, or check param length before copying and throw an error if larger than sizeof(buf)-1
>Release-Note:
>Audit-Trail:
>Unformatted:
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?200509272015.j8RKFgeQ021126>