bin/79260: syslogd may accept illegal facility number from
remote.
Gleb Smirnoff
glebius at FreeBSD.org
Mon Mar 28 02:27:07 PST 2005
On Sat, Mar 26, 2005 at 08:10:05PM +0000, Simon L. Nielsen wrote:
S> > from remote host. but in struct filed, member variable f_pmask array
S> > and f_pcmp array is limited to LOG_NFACILITIES. therefore syslogd
S> > access invalid address in logmsg() when facility is larger than
S> > LOG_NFACILITIES.
S>
S> Have you looked at what the implications of this is, mainly can you
S> crash syslogd due to this bug?
No, it is impossible to crash syslogd exploiting this bug. We have a magic
constant 0x3f8, which is anded with facility, so fac can't overflow over 127.
f_pmask[] and f_pcmp[] fields in struct filed are followed by a big field f_un,
which is MAXPATHLEN bytes long. That's why we will never read memory outside of
struct filed.
However, bug is bug, so I'm going to fix it. Thanks, Shuichi!
--
Totus tuus, Glebius.
GLEBIUS-RIPN GLEB-RIPE
More information about the freebsd-bugs
mailing list