From nobody@FreeBSD.org  Sat Oct 23 16:36:56 2010
Return-Path: <nobody@FreeBSD.org>
Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34])
	by hub.freebsd.org (Postfix) with ESMTP id 15F9F1065670
	for <freebsd-gnats-submit@FreeBSD.org>; Sat, 23 Oct 2010 16:36:56 +0000 (UTC)
	(envelope-from nobody@FreeBSD.org)
Received: from www.freebsd.org (www.freebsd.org [IPv6:2001:4f8:fff6::21])
	by mx1.freebsd.org (Postfix) with ESMTP id EC9FA8FC13
	for <freebsd-gnats-submit@FreeBSD.org>; Sat, 23 Oct 2010 16:36:55 +0000 (UTC)
Received: from www.freebsd.org (localhost [127.0.0.1])
	by www.freebsd.org (8.14.3/8.14.3) with ESMTP id o9NGatrc030687
	for <freebsd-gnats-submit@FreeBSD.org>; Sat, 23 Oct 2010 16:36:55 GMT
	(envelope-from nobody@www.freebsd.org)
Received: (from nobody@localhost)
	by www.freebsd.org (8.14.3/8.14.3/Submit) id o9NGatRM030686;
	Sat, 23 Oct 2010 16:36:55 GMT
	(envelope-from nobody)
Message-Id: <201010231636.o9NGatRM030686@www.freebsd.org>
Date: Sat, 23 Oct 2010 16:36:55 GMT
From: Alexey Illarionov <littlesavage@rambler.ru>
To: freebsd-gnats-submit@FreeBSD.org
Subject: [PATCH] sbin/route/route.c: Incorrect array bounds checking
X-Send-Pr-Version: www-3.1
X-GNATS-Notify:

>Number:         151664
>Category:       bin
>Synopsis:       [PATCH] route(8): sbin/route/route.c: Incorrect array bounds checking
>Confidential:   no
>Severity:       non-critical
>Priority:       low
>Responsible:    glebius
>State:          closed
>Quarter:        
>Keywords:       
>Date-Required:  
>Class:          sw-bug
>Submitter-Id:   current-users
>Arrival-Date:   Sat Oct 23 16:40:04 UTC 2010
>Closed-Date:    Wed Apr 06 17:54:33 UTC 2011
>Last-Modified:  Wed Apr 06 17:54:33 UTC 2011
>Originator:     Alexey Illarionov
>Release:        8.1-STABLE
>Organization:
>Environment:
8.1-STABLE
>Description:
sbin/route/route.c have incorrect bounds checking of msgtypes[] in print_rtmsg():

char *msgtypes[] = {
 "",
 ...
 0
};

void
print_rtmsg(rtm, msglen)
{
..
   if (msgtypes[rtm->rtm_type] != NULL)
       (void)printf("%s: ", msgtypes[rtm->rtm_type]);
..
}

There is also no checks for received message length (msglen) there.

>How-To-Repeat:
Run `route monitor` and send invalid message to PF_ROUTE socket:

$ route monitor &
[1] 13682
$ perl -MSocket  -e 'socket(SOCK, PF_ROUTE, SOCK_RAW, 0); syswrite(SOCK, pack("Scc",4,5,0xa0));'

got message of size 4 on Sat Oct 23 20:26:51 2010
[1]+  Segmentation fault: 11  route monitor

>Fix:


Patch attached with submission follows:

--- route.c.orig	2010-10-23 19:33:31.560869646 +0400
+++ route.c	2010-10-23 20:28:18.947314302 +0400
@@ -1303,7 +1303,7 @@
 	"RTM_NEWMADDR: new multicast group membership on iface",
 	"RTM_DELMADDR: multicast group membership removed from iface",
 	"RTM_IFANNOUNCE: interface arrival/departure",
-	0,
+	"RTM_IEEE80211: IEEE80211 wireless event"
 };
 
 char metricnames[] =
@@ -1341,7 +1341,7 @@
 		    rtm->rtm_version);
 		return;
 	}
-	if (msgtypes[rtm->rtm_type] != NULL)
+	if (rtm->rtm_type < sizeof(msgtypes)/sizeof(msgtypes[0]))
 		(void)printf("%s: ", msgtypes[rtm->rtm_type]);
 	else
 		(void)printf("#%d: ", rtm->rtm_type);
@@ -1349,6 +1349,10 @@
 	switch (rtm->rtm_type) {
 	case RTM_IFINFO:
 		ifm = (struct if_msghdr *)rtm;
+		if (msglen < sizeof(struct if_msghdr)) {
+		   printf("invalid\n");
+		   break;
+		}
 		(void) printf("if# %d, ", ifm->ifm_index);
 		switch (ifm->ifm_data.ifi_link_state) {
 		case LINK_STATE_DOWN:
@@ -1368,6 +1372,10 @@
 	case RTM_NEWADDR:
 	case RTM_DELADDR:
 		ifam = (struct ifa_msghdr *)rtm;
+		if (msglen < sizeof(struct ifa_msghdr)) {
+		   printf("invalid\n");
+		   break;
+		}
 		(void) printf("metric %d, flags:", ifam->ifam_metric);
 		bprintf(stdout, ifam->ifam_flags, routeflags);
 		pmsg_addrs((char *)(ifam + 1), ifam->ifam_addrs);
@@ -1376,11 +1384,19 @@
 	case RTM_NEWMADDR:
 	case RTM_DELMADDR:
 		ifmam = (struct ifma_msghdr *)rtm;
+		if (msglen < sizeof(struct ifma_msghdr)) {
+		   printf("invalid\n");
+		   break;
+		}
 		pmsg_addrs((char *)(ifmam + 1), ifmam->ifmam_addrs);
 		break;
 #endif
 	case RTM_IFANNOUNCE:
 		ifan = (struct if_announcemsghdr *)rtm;
+		if (msglen < sizeof(struct if_announcemsghdr)) {
+		   printf("invalid\n");
+		   break;
+		}
 		(void) printf("if# %d, what: ", ifan->ifan_index);
 		switch (ifan->ifan_what) {
 		case IFAN_ARRIVAL:
@@ -1397,6 +1413,10 @@
 		break;
 
 	default:
+		if (msglen < sizeof(struct if_msghdr)){
+		   printf("invalid\n");
+		   break;
+		}
 		(void) printf("pid: %ld, seq %d, errno %d, flags:",
 			(long)rtm->rtm_pid, rtm->rtm_seq, rtm->rtm_errno);
 		bprintf(stdout, rtm->rtm_flags, routeflags);


>Release-Note:
>Audit-Trail:

From: Gleb Smirnoff <glebius@FreeBSD.org>
To: Alexey Illarionov <littlesavage@rambler.ru>
Cc: freebsd-gnats-submit@FreeBSD.org
Subject: Re: bin/151664: [PATCH] sbin/route/route.c: Incorrect array bounds
 checking
Date: Mon, 25 Oct 2010 18:12:06 +0400

 --G6nVm6DDWH/FONJq
 Content-Type: text/plain; charset=koi8-r
 Content-Disposition: inline
 
   Hello!
 
   Another patch, that also checks msglen even deeper down, when printing sockaddrs.
 
 -- 
 Totus tuus, Glebius.
 
 --G6nVm6DDWH/FONJq
 Content-Type: text/x-diff; charset=koi8-r
 Content-Disposition: attachment; filename="route.c.diff"
 
 Index: route.c
 ===================================================================
 --- route.c	(revision 213832)
 +++ route.c	(working copy)
 @@ -115,11 +115,11 @@
  static void	monitor(void);
  static const char	*netname(struct sockaddr *);
  static void	newroute(int, char **);
 -static void	pmsg_addrs(char *, int);
 -static void	pmsg_common(struct rt_msghdr *);
 +static void	pmsg_addrs(char *, int, size_t);
 +static void	pmsg_common(struct rt_msghdr *, size_t);
  static int	prefixlen(const char *);
  static void	print_getmsg(struct rt_msghdr *, int);
 -static void	print_rtmsg(struct rt_msghdr *, int);
 +static void	print_rtmsg(struct rt_msghdr *, size_t);
  static const char	*routename(struct sockaddr *);
  static int	rtmsg(int, int);
  static void	set_metric(char *, int);
 @@ -1306,7 +1306,7 @@
  	"RTM_NEWMADDR: new multicast group membership on iface",
  	"RTM_DELMADDR: multicast group membership removed from iface",
  	"RTM_IFANNOUNCE: interface arrival/departure",
 -	0,
 +	"RTM_IEEE80211: IEEE 802.11 wireless event",
  };
  
  char metricnames[] =
 @@ -1325,7 +1325,7 @@
  "\1DST\2GATEWAY\3NETMASK\4GENMASK\5IFP\6IFA\7AUTHOR\010BRD";
  
  static void
 -print_rtmsg(struct rt_msghdr *rtm, int msglen __unused)
 +print_rtmsg(struct rt_msghdr *rtm, size_t msglen)
  {
  	struct if_msghdr *ifm;
  	struct ifa_msghdr *ifam;
 @@ -1342,13 +1342,22 @@
  		    rtm->rtm_version);
  		return;
  	}
 -	if (msgtypes[rtm->rtm_type] != NULL)
 +	if (rtm->rtm_type < sizeof(msgtypes)/sizeof(msgtypes[0]))
  		(void)printf("%s: ", msgtypes[rtm->rtm_type]);
  	else
  		(void)printf("#%d: ", rtm->rtm_type);
  	(void)printf("len %d, ", rtm->rtm_msglen);
 +
 +#define	REQUIRE(x)	do {		\
 +	if (msglen < sizeof(x))		\
 +		goto badlen;		\
 +	else				\
 +		msglen -= sizeof(x);	\
 +	} while (0)
 +
  	switch (rtm->rtm_type) {
  	case RTM_IFINFO:
 +		REQUIRE(struct if_msghdr);
  		ifm = (struct if_msghdr *)rtm;
  		(void) printf("if# %d, ", ifm->ifm_index);
  		switch (ifm->ifm_data.ifi_link_state) {
 @@ -1364,23 +1373,26 @@
  		}
  		(void) printf("link: %s, flags:", state);
  		bprintf(stdout, ifm->ifm_flags, ifnetflags);
 -		pmsg_addrs((char *)(ifm + 1), ifm->ifm_addrs);
 +		pmsg_addrs((char *)(ifm + 1), ifm->ifm_addrs, msglen);
  		break;
  	case RTM_NEWADDR:
  	case RTM_DELADDR:
 +		REQUIRE(struct ifa_msghdr);
  		ifam = (struct ifa_msghdr *)rtm;
  		(void) printf("metric %d, flags:", ifam->ifam_metric);
  		bprintf(stdout, ifam->ifam_flags, routeflags);
 -		pmsg_addrs((char *)(ifam + 1), ifam->ifam_addrs);
 +		pmsg_addrs((char *)(ifam + 1), ifam->ifam_addrs, msglen);
  		break;
  #ifdef RTM_NEWMADDR
  	case RTM_NEWMADDR:
  	case RTM_DELMADDR:
 +		REQUIRE(struct ifma_msghdr);
  		ifmam = (struct ifma_msghdr *)rtm;
 -		pmsg_addrs((char *)(ifmam + 1), ifmam->ifmam_addrs);
 +		pmsg_addrs((char *)(ifmam + 1), ifmam->ifmam_addrs, msglen);
  		break;
  #endif
  	case RTM_IFANNOUNCE:
 +		REQUIRE(struct if_announcemsghdr);
  		ifan = (struct if_announcemsghdr *)rtm;
  		(void) printf("if# %d, what: ", ifan->ifan_index);
  		switch (ifan->ifan_what) {
 @@ -1401,8 +1413,13 @@
  		(void) printf("pid: %ld, seq %d, errno %d, flags:",
  			(long)rtm->rtm_pid, rtm->rtm_seq, rtm->rtm_errno);
  		bprintf(stdout, rtm->rtm_flags, routeflags);
 -		pmsg_common(rtm);
 +		pmsg_common(rtm, msglen);
  	}
 +
 +	return;
 +
 +badlen:
 +	(void)printf("bad message length %u\n", msglen);
  }
  
  static void
 @@ -1490,7 +1507,7 @@
  #undef msec
  #define	RTA_IGN	(RTA_DST|RTA_GATEWAY|RTA_NETMASK|RTA_IFP|RTA_IFA|RTA_BRD)
  	if (verbose)
 -		pmsg_common(rtm);
 +		pmsg_common(rtm, msglen);
  	else if (rtm->rtm_addrs &~ RTA_IGN) {
  		(void) printf("sockaddrs: ");
  		bprintf(stdout, rtm->rtm_addrs, addrnames);
 @@ -1500,17 +1517,21 @@
  }
  
  static void
 -pmsg_common(struct rt_msghdr *rtm)
 +pmsg_common(struct rt_msghdr *rtm, size_t msglen)
  {
  	(void) printf("\nlocks: ");
  	bprintf(stdout, rtm->rtm_rmx.rmx_locks, metricnames);
  	(void) printf(" inits: ");
  	bprintf(stdout, rtm->rtm_inits, metricnames);
 -	pmsg_addrs(((char *)(rtm + 1)), rtm->rtm_addrs);
 +	if (msglen > sizeof(struct rt_msghdr))
 +		pmsg_addrs(((char *)(rtm + 1)), rtm->rtm_addrs,
 +		    msglen - sizeof(struct rt_msghdr));
 +	else
 +		(void) fflush(stdout);
  }
  
  static void
 -pmsg_addrs(char *cp, int addrs)
 +pmsg_addrs(char *cp, int addrs, size_t len)
  {
  	struct sockaddr *sa;
  	int i;
 @@ -1524,8 +1545,17 @@
  	(void) putchar('\n');
  	for (i = 1; i != 0; i <<= 1)
  		if (i & addrs) {
 +			if (len < sizeof(struct sockaddr)) {
 +				(void) printf("bad message length\n");
 +				break;
 +			}
  			sa = (struct sockaddr *)cp;
  			(void) printf(" %s", routename(sa));
 +			if (len < SA_SIZE(sa)) {
 +				(void) printf("bad message length\n");
 +				break;
 +			}
 +			len -= SA_SIZE(sa);
  			cp += SA_SIZE(sa);
  		}
  	(void) putchar('\n');
 
 --G6nVm6DDWH/FONJq--

From: Alexey Illarionov <littlesavage@orionet.ru>
To: bug-followup@FreeBSD.org
Cc:  
Subject: Re: bin/151664: [PATCH] route(8): sbin/route/route.c: Incorrect array
 bounds checking
Date: Tue, 02 Nov 2010 22:42:05 +0300

 This is a cryptographically signed message in MIME format.
 
 --------------ms020802020500050608040702
 Content-Type: text/plain; charset=KOI8-R; format=flowed
 Content-Transfer-Encoding: quoted-printable
 
 Hi
 
 I have reported this problem to OpenBSD team too (user/6500).
 They added some checks for rtsock messages in kernel:
 http://kerneltrap.org/mailarchive/openbsd-source-changes/2010/10/25/68900=
 78
 http://kerneltrap.org/mailarchive/openbsd-source-changes/2010/10/28/68901=
 67
 
 
 --------------ms020802020500050608040702
 Content-Type: application/pkcs7-signature; name="smime.p7s"
 Content-Transfer-Encoding: base64
 Content-Disposition: attachment; filename="smime.p7s"
 Content-Description: S/MIME Cryptographic Signature
 
 MIAGCSqGSIb3DQEHAqCAMIACAQExCzAJBgUrDgMCGgUAMIAGCSqGSIb3DQEHAQAAoIIVMjCC
 BqIwggWKoAMCAQICAwDRMjANBgkqhkiG9w0BAQUFADCBjDELMAkGA1UEBhMCSUwxFjAUBgNV
 BAoTDVN0YXJ0Q29tIEx0ZC4xKzApBgNVBAsTIlNlY3VyZSBEaWdpdGFsIENlcnRpZmljYXRl
 IFNpZ25pbmcxODA2BgNVBAMTL1N0YXJ0Q29tIENsYXNzIDEgUHJpbWFyeSBJbnRlcm1lZGlh
 dGUgQ2xpZW50IENBMB4XDTA5MTIxODAzNTEwN1oXDTEwMTIxOTE5MDA1MVowgZUxIDAeBgNV
 BA0TFzExNTM5NS16NXZCN20zYWFualY2V0ZTMR4wHAYDVQQKExVQZXJzb25hIE5vdCBWYWxp
 ZGF0ZWQxKTAnBgNVBAMTIFN0YXJ0Q29tIEZyZWUgQ2VydGlmaWNhdGUgTWVtYmVyMSYwJAYJ
 KoZIhvcNAQkBFhdsaXR0bGVzYXZhZ2VAb3Jpb25ldC5ydTCCASIwDQYJKoZIhvcNAQEBBQAD
 ggEPADCCAQoCggEBAK6YJvopM4ZRqdBCcxY4t1S/ggmk8dO8soy1ONEB8J1dDMUEBMsEeG7H
 iCWskzOjbHbXy12ZreakqUFs9rs8gLD597ROrpd8A465j0snwGsSBW8PZicJeYb9PE2LLVh8
 t9eAWEqEiCf+tUbPpcMCg2iguJY32fhPdKHaCBaUht4QIt4x5EUxsSPp8mKDK3EnqbqXzHNT
 uDI7pXYV+se1h+p3Ma2WxuGARvvFmtgCnK2sPfHKeDfWDVGO03ztrbIR34VxwP0xxSAb0kcJ
 axS5QOHjjbVevLyJ3vh65yZADZIL0paRxN/bxfSv/4KencjpM8QP7j4DMM9s+gRL50C5ZA8C
 AwEAAaOCAwAwggL8MAkGA1UdEwQCMAAwCwYDVR0PBAQDAgSwMB0GA1UdJQQWMBQGCCsGAQUF
 BwMCBggrBgEFBQcDBDAdBgNVHQ4EFgQUp6RzBNl6KxD6ESlaK1NduaUl5FowHwYDVR0jBBgw
 FoAUU3Ltkpzg2ssBXHx+ljVO8tS4UYIwIgYDVR0RBBswGYEXbGl0dGxlc2F2YWdlQG9yaW9u
 ZXQucnUwggFCBgNVHSAEggE5MIIBNTCCATEGCysGAQQBgbU3AQIBMIIBIDAuBggrBgEFBQcC
 ARYiaHR0cDovL3d3dy5zdGFydHNzbC5jb20vcG9saWN5LnBkZjA0BggrBgEFBQcCARYoaHR0
 cDovL3d3dy5zdGFydHNzbC5jb20vaW50ZXJtZWRpYXRlLnBkZjCBtwYIKwYBBQUHAgIwgaow
 FBYNU3RhcnRDb20gTHRkLjADAgEBGoGRTGltaXRlZCBMaWFiaWxpdHksIHNlZSBzZWN0aW9u
 ICpMZWdhbCBMaW1pdGF0aW9ucyogb2YgdGhlIFN0YXJ0Q29tIENlcnRpZmljYXRpb24gQXV0
 aG9yaXR5IFBvbGljeSBhdmFpbGFibGUgYXQgaHR0cDovL3d3dy5zdGFydHNzbC5jb20vcG9s
 aWN5LnBkZjBjBgNVHR8EXDBaMCugKaAnhiVodHRwOi8vd3d3LnN0YXJ0c3NsLmNvbS9jcnR1
 MS1jcmwuY3JsMCugKaAnhiVodHRwOi8vY3JsLnN0YXJ0c3NsLmNvbS9jcnR1MS1jcmwuY3Js
 MIGOBggrBgEFBQcBAQSBgTB/MDkGCCsGAQUFBzABhi1odHRwOi8vb2NzcC5zdGFydHNzbC5j
 b20vc3ViL2NsYXNzMS9jbGllbnQvY2EwQgYIKwYBBQUHMAKGNmh0dHA6Ly93d3cuc3RhcnRz
 c2wuY29tL2NlcnRzL3N1Yi5jbGFzczEuY2xpZW50LmNhLmNydDAjBgNVHRIEHDAahhhodHRw
 Oi8vd3d3LnN0YXJ0c3NsLmNvbS8wDQYJKoZIhvcNAQEFBQADggEBAAuawGKKweHqXzNHYEp2
 GOt2ezkpAnZJO5585C5DV0NxOmA54/tblVyLkelEp15jCxFptq+U0dFUgKVeT4RgyXtjl3J6
 L2jYp7k3T6F9gbMe4FgTZcqItyoOSCM+KTrwUV9bBkIyt9vh5DONcG2H21X9QYfpGuMfDn49
 1li9I6AtHDPRVzbTQ7DCgEXuq8dVm8X2TdykFwUsW7QMFMNyWZQgvcqI6vt1TRTC0NMLPywo
 34sEJRZZ6OeQOIbiI4nOqieDG6UyUhGCQ12uH1C2J7L8mPTSI8HTNPrDD1plRpFcvP94AYpC
 XBA21pPkUS+VERCO9lDKmP3+Yv8C+cRzi6cwggaiMIIFiqADAgECAgMA0TIwDQYJKoZIhvcN
 AQEFBQAwgYwxCzAJBgNVBAYTAklMMRYwFAYDVQQKEw1TdGFydENvbSBMdGQuMSswKQYDVQQL
 EyJTZWN1cmUgRGlnaXRhbCBDZXJ0aWZpY2F0ZSBTaWduaW5nMTgwNgYDVQQDEy9TdGFydENv
 bSBDbGFzcyAxIFByaW1hcnkgSW50ZXJtZWRpYXRlIENsaWVudCBDQTAeFw0wOTEyMTgwMzUx
 MDdaFw0xMDEyMTkxOTAwNTFaMIGVMSAwHgYDVQQNExcxMTUzOTUtejV2QjdtM2FhbmpWNldG
 UzEeMBwGA1UEChMVUGVyc29uYSBOb3QgVmFsaWRhdGVkMSkwJwYDVQQDEyBTdGFydENvbSBG
 cmVlIENlcnRpZmljYXRlIE1lbWJlcjEmMCQGCSqGSIb3DQEJARYXbGl0dGxlc2F2YWdlQG9y
 aW9uZXQucnUwggEiMA0GCSqGSIb3DQEBAQUAA4IBDwAwggEKAoIBAQCumCb6KTOGUanQQnMW
 OLdUv4IJpPHTvLKMtTjRAfCdXQzFBATLBHhux4glrJMzo2x218tdma3mpKlBbPa7PICw+fe0
 Tq6XfAOOuY9LJ8BrEgVvD2YnCXmG/TxNiy1YfLfXgFhKhIgn/rVGz6XDAoNooLiWN9n4T3Sh
 2ggWlIbeECLeMeRFMbEj6fJigytxJ6m6l8xzU7gyO6V2FfrHtYfqdzGtlsbhgEb7xZrYApyt
 rD3xyng31g1RjtN87a2yEd+FccD9McUgG9JHCWsUuUDh4421Xry8id74eucmQA2SC9KWkcTf
 28X0r/+Cnp3I6TPED+4+AzDPbPoES+dAuWQPAgMBAAGjggMAMIIC/DAJBgNVHRMEAjAAMAsG
 A1UdDwQEAwIEsDAdBgNVHSUEFjAUBggrBgEFBQcDAgYIKwYBBQUHAwQwHQYDVR0OBBYEFKek
 cwTZeisQ+hEpWitTXbmlJeRaMB8GA1UdIwQYMBaAFFNy7ZKc4NrLAVx8fpY1TvLUuFGCMCIG
 A1UdEQQbMBmBF2xpdHRsZXNhdmFnZUBvcmlvbmV0LnJ1MIIBQgYDVR0gBIIBOTCCATUwggEx
 BgsrBgEEAYG1NwECATCCASAwLgYIKwYBBQUHAgEWImh0dHA6Ly93d3cuc3RhcnRzc2wuY29t
 L3BvbGljeS5wZGYwNAYIKwYBBQUHAgEWKGh0dHA6Ly93d3cuc3RhcnRzc2wuY29tL2ludGVy
 bWVkaWF0ZS5wZGYwgbcGCCsGAQUFBwICMIGqMBQWDVN0YXJ0Q29tIEx0ZC4wAwIBARqBkUxp
 bWl0ZWQgTGlhYmlsaXR5LCBzZWUgc2VjdGlvbiAqTGVnYWwgTGltaXRhdGlvbnMqIG9mIHRo
 ZSBTdGFydENvbSBDZXJ0aWZpY2F0aW9uIEF1dGhvcml0eSBQb2xpY3kgYXZhaWxhYmxlIGF0
 IGh0dHA6Ly93d3cuc3RhcnRzc2wuY29tL3BvbGljeS5wZGYwYwYDVR0fBFwwWjAroCmgJ4Yl
 aHR0cDovL3d3dy5zdGFydHNzbC5jb20vY3J0dTEtY3JsLmNybDAroCmgJ4YlaHR0cDovL2Ny
 bC5zdGFydHNzbC5jb20vY3J0dTEtY3JsLmNybDCBjgYIKwYBBQUHAQEEgYEwfzA5BggrBgEF
 BQcwAYYtaHR0cDovL29jc3Auc3RhcnRzc2wuY29tL3N1Yi9jbGFzczEvY2xpZW50L2NhMEIG
 CCsGAQUFBzAChjZodHRwOi8vd3d3LnN0YXJ0c3NsLmNvbS9jZXJ0cy9zdWIuY2xhc3MxLmNs
 aWVudC5jYS5jcnQwIwYDVR0SBBwwGoYYaHR0cDovL3d3dy5zdGFydHNzbC5jb20vMA0GCSqG
 SIb3DQEBBQUAA4IBAQALmsBiisHh6l8zR2BKdhjrdns5KQJ2STuefOQuQ1dDcTpgOeP7W5Vc
 i5HpRKdeYwsRabavlNHRVIClXk+EYMl7Y5dyei9o2Ke5N0+hfYGzHuBYE2XKiLcqDkgjPik6
 8FFfWwZCMrfb4eQzjXBth9tV/UGH6RrjHw5+PdZYvSOgLRwz0Vc200OwwoBF7qvHVZvF9k3c
 pBcFLFu0DBTDclmUIL3KiOr7dU0UwtDTCz8sKN+LBCUWWejnkDiG4iOJzqongxulMlIRgkNd
 rh9Qtiey/Jj00iPB0zT6ww9aZUaRXLz/eAGKQlwQNtaT5FEvlREQjvZQypj9/mL/AvnEc4un
 MIIH4jCCBcqgAwIBAgIBDTANBgkqhkiG9w0BAQUFADB9MQswCQYDVQQGEwJJTDEWMBQGA1UE
 ChMNU3RhcnRDb20gTHRkLjErMCkGA1UECxMiU2VjdXJlIERpZ2l0YWwgQ2VydGlmaWNhdGUg
 U2lnbmluZzEpMCcGA1UEAxMgU3RhcnRDb20gQ2VydGlmaWNhdGlvbiBBdXRob3JpdHkwHhcN
 MDcxMDI0MjEwMTU0WhcNMTIxMDIyMjEwMTU0WjCBjDELMAkGA1UEBhMCSUwxFjAUBgNVBAoT
 DVN0YXJ0Q29tIEx0ZC4xKzApBgNVBAsTIlNlY3VyZSBEaWdpdGFsIENlcnRpZmljYXRlIFNp
 Z25pbmcxODA2BgNVBAMTL1N0YXJ0Q29tIENsYXNzIDEgUHJpbWFyeSBJbnRlcm1lZGlhdGUg
 Q2xpZW50IENBMIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEAxwmDzM4t2BqxKaQu
 E6uWvooyg4ymiEGWVUet1G8SD+rqvyNH4QrvnEIaFHxOhESip7vMz39ScLpNLbL1QpOlPW/t
 FIzNHS3qd2XRNYG5Sv9RcGE+T4qbLtsjjJbi6sL7Ls/f/X9ftTyhxvxWkf8KW37iKrueKsxw
 2HqolH7GM6FX5UfNAwAu4ZifkpmZzU1slBhyWwaQPEPPZRsWoTb7q8hmgv6Nv3Hg9rmA1/VP
 BIOQ6SKRkHXG0Hhmq1dOFoAFI411+a/9nWm5rcVjGcIWZ2v/43Yksq60jExipA4l5uv9/+Hm
 33mbgmCszdj/Dthf13tgAv2O83hLJ0exTqfrlwIDAQABo4IDWzCCA1cwDAYDVR0TBAUwAwEB
 /zALBgNVHQ8EBAMCAaYwHQYDVR0OBBYEFFNy7ZKc4NrLAVx8fpY1TvLUuFGCMIGoBgNVHSME
 gaAwgZ2AFE4L7xqkQFulF2mHMMo0aEPQQa7yoYGBpH8wfTELMAkGA1UEBhMCSUwxFjAUBgNV
 BAoTDVN0YXJ0Q29tIEx0ZC4xKzApBgNVBAsTIlNlY3VyZSBEaWdpdGFsIENlcnRpZmljYXRl
 IFNpZ25pbmcxKTAnBgNVBAMTIFN0YXJ0Q29tIENlcnRpZmljYXRpb24gQXV0aG9yaXR5ggEB
 MAkGA1UdEgQCMAAwPQYIKwYBBQUHAQEEMTAvMC0GCCsGAQUFBzAChiFodHRwOi8vd3d3LnN0
 YXJ0c3NsLmNvbS9zZnNjYS5jcnQwYAYDVR0fBFkwVzAsoCqgKIYmaHR0cDovL2NlcnQuc3Rh
 cnRjb20ub3JnL3Nmc2NhLWNybC5jcmwwJ6AloCOGIWh0dHA6Ly9jcmwuc3RhcnRzc2wuY29t
 L3Nmc2NhLmNybDCCAV0GA1UdIASCAVQwggFQMIIBTAYLKwYBBAGBtTcBAQQwggE7MC8GCCsG
 AQUFBwIBFiNodHRwOi8vY2VydC5zdGFydGNvbS5vcmcvcG9saWN5LnBkZjA1BggrBgEFBQcC
 ARYpaHR0cDovL2NlcnQuc3RhcnRjb20ub3JnL2ludGVybWVkaWF0ZS5wZGYwgdAGCCsGAQUF
 BwICMIHDMCcWIFN0YXJ0IENvbW1lcmNpYWwgKFN0YXJ0Q29tKSBMdGQuMAMCAQEagZdMaW1p
 dGVkIExpYWJpbGl0eSwgcmVhZCB0aGUgc2VjdGlvbiAqTGVnYWwgTGltaXRhdGlvbnMqIG9m
 IHRoZSBTdGFydENvbSBDZXJ0aWZpY2F0aW9uIEF1dGhvcml0eSBQb2xpY3kgYXZhaWxhYmxl
 IGF0IGh0dHA6Ly9jZXJ0LnN0YXJ0Y29tLm9yZy9wb2xpY3kucGRmMBEGCWCGSAGG+EIBAQQE
 AwIABzBQBglghkgBhvhCAQ0EQxZBU3RhcnRDb20gQ2xhc3MgMSBQcmltYXJ5IEludGVybWVk
 aWF0ZSBGcmVlIFNTTCBFbWFpbCBDZXJ0aWZpY2F0ZXMwDQYJKoZIhvcNAQEFBQADggIBAKqa
 4eBbjM4dG/wdxiwwIKC3kyb98QK2zREovyn/xzDP/4H/Bc8FFDTgoJR+nX2Li0EP3U7TsjG+
 CaIi90+8YlShADpkPrfm/8SzjGtJtfM6EaluJOhpcqMr3OyzK3aYGJP5RIeZ6vLT3fQaDZsI
 ooXl6YSFR/0HpU4FJDc0wuyFaZmFbCrjTp8RNYyRWTTX6mWSv+TraOwuj3zrrddSpgUEi2Wq
 wM9G/5o4IXQbGHx7oXTvL6zrw9IOYO3QOKZDgFNhHeKUgqMAUiLcg/+WhcGe+Y4umKuxghtw
 aYsgD/bLfIfop3NC/u5JqwDCWizAJruhmbOV4LG859MFCb2w/YeY55zDPVGmQ3MZdriwdOKr
 hlFjOjYihmm28UHOvND2G3kK0LvnuieLqjQMc6GuUcZAQOWv96pW4BfbiQXpAqibMMeb0PZI
 Sa7PFEzGiBc2xAuVRkM4kB9/+iieA1D/OTiRJwsf6rkoVgOsN9fCw522tzOmuVfiqDS4bFYv
 00sX/dFGwasHUUf3DsLhpDSYdejb74SKjtuqLDIOuAm2bA1axA6+7kjFeNIngSU6OPSMre+x
 Ajoc/6coaMGthFD+mimr/i/8F8wDwdyzas7oxkdCtaW8hVir8mJnbp4CbckllDMPkeQ6qQNm
 xSDhOeqX1jyx2cTi/vPq+/TyxV/stlehMYID0DCCA8wCAQEwgZQwgYwxCzAJBgNVBAYTAklM
 MRYwFAYDVQQKEw1TdGFydENvbSBMdGQuMSswKQYDVQQLEyJTZWN1cmUgRGlnaXRhbCBDZXJ0
 aWZpY2F0ZSBTaWduaW5nMTgwNgYDVQQDEy9TdGFydENvbSBDbGFzcyAxIFByaW1hcnkgSW50
 ZXJtZWRpYXRlIENsaWVudCBDQQIDANEyMAkGBSsOAwIaBQCgggIQMBgGCSqGSIb3DQEJAzEL
 BgkqhkiG9w0BBwEwHAYJKoZIhvcNAQkFMQ8XDTEwMTEwMjE5NDIwNVowIwYJKoZIhvcNAQkE
 MRYEFLpqYvxn7nfppXunKyp5AzpQ+dErMF8GCSqGSIb3DQEJDzFSMFAwCwYJYIZIAWUDBAEC
 MAoGCCqGSIb3DQMHMA4GCCqGSIb3DQMCAgIAgDANBggqhkiG9w0DAgIBQDAHBgUrDgMCBzAN
 BggqhkiG9w0DAgIBKDCBpQYJKwYBBAGCNxAEMYGXMIGUMIGMMQswCQYDVQQGEwJJTDEWMBQG
 A1UEChMNU3RhcnRDb20gTHRkLjErMCkGA1UECxMiU2VjdXJlIERpZ2l0YWwgQ2VydGlmaWNh
 dGUgU2lnbmluZzE4MDYGA1UEAxMvU3RhcnRDb20gQ2xhc3MgMSBQcmltYXJ5IEludGVybWVk
 aWF0ZSBDbGllbnQgQ0ECAwDRMjCBpwYLKoZIhvcNAQkQAgsxgZeggZQwgYwxCzAJBgNVBAYT
 AklMMRYwFAYDVQQKEw1TdGFydENvbSBMdGQuMSswKQYDVQQLEyJTZWN1cmUgRGlnaXRhbCBD
 ZXJ0aWZpY2F0ZSBTaWduaW5nMTgwNgYDVQQDEy9TdGFydENvbSBDbGFzcyAxIFByaW1hcnkg
 SW50ZXJtZWRpYXRlIENsaWVudCBDQQIDANEyMA0GCSqGSIb3DQEBAQUABIIBAKeAmzQpcVKi
 i06hiXIYsYHshgcCcYISnUhqeN7M9z3R52i9gCoOS/pq5gmvqUV9NNZIfye+iD/Vh0G3/hEN
 Uvmh2zjC9WszkqjHhrwC+5E/U7LWILbWchZ1BYpJDdX5c6hQHAypVJ//6kjpC9u/cRfGXHf4
 SnIfBHkPiQ6T7rVoF9bD7YPURH+YRpIBJQLvOHOO/8AblUq0vvWn+gQjsGc3k4Lz/JzMYBNY
 IMjLmp3nAxvWzJToEE1L7JwDol3lykOR/vMvGUsboUsrSVBspdYEcv5c29HLk/biE13orDDH
 LsNEbILDI/7tKkNgWFy05JdPppDTW2pMBSoZFsJUYFAAAAAAAAA=
 --------------ms020802020500050608040702--
State-Changed-From-To: open->patched 
State-Changed-By: glebius 
State-Changed-When: Wed Dec 8 15:05:12 UTC 2010 
State-Changed-Why:  
Committed to head/. 


Responsible-Changed-From-To: freebsd-bugs->glebius 
Responsible-Changed-By: glebius 
Responsible-Changed-When: Wed Dec 8 15:05:12 UTC 2010 
Responsible-Changed-Why:  
Committed to head/. 

http://www.freebsd.org/cgi/query-pr.cgi?pr=151664 

From: dfilter@FreeBSD.ORG (dfilter service)
To: bug-followup@FreeBSD.org
Cc:  
Subject: Re: bin/151664: commit references a PR
Date: Wed,  8 Dec 2010 15:10:32 +0000 (UTC)

 Author: glebius
 Date: Wed Dec  8 15:10:27 2010
 New Revision: 216296
 URL: http://svn.freebsd.org/changeset/base/216296
 
 Log:
   Add RTM_IEEE80211 to array of route message descriptions.
   
   PR:		151664
   Submitted by:	Alexey Illarionov <littlesavage rambler.ru>
 
 Modified:
   head/sbin/route/route.c
 
 Modified: head/sbin/route/route.c
 ==============================================================================
 --- head/sbin/route/route.c	Wed Dec  8 14:30:25 2010	(r216295)
 +++ head/sbin/route/route.c	Wed Dec  8 15:10:27 2010	(r216296)
 @@ -1306,6 +1306,7 @@ const char *msgtypes[] = {
  	"RTM_NEWMADDR: new multicast group membership on iface",
  	"RTM_DELMADDR: multicast group membership removed from iface",
  	"RTM_IFANNOUNCE: interface arrival/departure",
 +	"RTM_IEEE80211: IEEE 802.11 wireless event",
  	0,
  };
  
 _______________________________________________
 svn-src-all@freebsd.org mailing list
 http://lists.freebsd.org/mailman/listinfo/svn-src-all
 To unsubscribe, send any mail to "svn-src-all-unsubscribe@freebsd.org"
 

From: dfilter@FreeBSD.ORG (dfilter service)
To: bug-followup@FreeBSD.org
Cc:  
Subject: Re: bin/151664: commit references a PR
Date: Wed,  8 Dec 2010 15:12:42 +0000 (UTC)

 Author: glebius
 Date: Wed Dec  8 15:12:37 2010
 New Revision: 216297
 URL: http://svn.freebsd.org/changeset/base/216297
 
 Log:
   - Fix array bounds checking. [1]
   - Add message length checking.
   
   PR:		151664 [1]
   Submitted by:	Alexey Illarionov <littlesavage rambler.ru> [1]
   Reviewed by:	yar
 
 Modified:
   head/sbin/route/route.c
 
 Modified: head/sbin/route/route.c
 ==============================================================================
 --- head/sbin/route/route.c	Wed Dec  8 15:10:27 2010	(r216296)
 +++ head/sbin/route/route.c	Wed Dec  8 15:12:37 2010	(r216297)
 @@ -115,11 +115,11 @@ static void	mask_addr(void);
  static void	monitor(void);
  static const char	*netname(struct sockaddr *);
  static void	newroute(int, char **);
 -static void	pmsg_addrs(char *, int);
 -static void	pmsg_common(struct rt_msghdr *);
 +static void	pmsg_addrs(char *, int, size_t);
 +static void	pmsg_common(struct rt_msghdr *, size_t);
  static int	prefixlen(const char *);
  static void	print_getmsg(struct rt_msghdr *, int);
 -static void	print_rtmsg(struct rt_msghdr *, int);
 +static void	print_rtmsg(struct rt_msghdr *, size_t);
  static const char	*routename(struct sockaddr *);
  static int	rtmsg(int, int);
  static void	set_metric(char *, int);
 @@ -1307,7 +1307,6 @@ const char *msgtypes[] = {
  	"RTM_DELMADDR: multicast group membership removed from iface",
  	"RTM_IFANNOUNCE: interface arrival/departure",
  	"RTM_IEEE80211: IEEE 802.11 wireless event",
 -	0,
  };
  
  char metricnames[] =
 @@ -1325,8 +1324,11 @@ char ifnetflags[] =
  char addrnames[] =
  "\1DST\2GATEWAY\3NETMASK\4GENMASK\5IFP\6IFA\7AUTHOR\010BRD";
  
 +static const char errfmt[] =
 +"\n%s: truncated route message, only %zu bytes left\n";
 +
  static void
 -print_rtmsg(struct rt_msghdr *rtm, int msglen __unused)
 +print_rtmsg(struct rt_msghdr *rtm, size_t msglen)
  {
  	struct if_msghdr *ifm;
  	struct ifa_msghdr *ifam;
 @@ -1343,13 +1345,22 @@ print_rtmsg(struct rt_msghdr *rtm, int m
  		    rtm->rtm_version);
  		return;
  	}
 -	if (msgtypes[rtm->rtm_type] != NULL)
 +	if (rtm->rtm_type < sizeof(msgtypes) / sizeof(msgtypes[0]))
  		(void)printf("%s: ", msgtypes[rtm->rtm_type]);
  	else
 -		(void)printf("#%d: ", rtm->rtm_type);
 +		(void)printf("unknown type %d: ", rtm->rtm_type);
  	(void)printf("len %d, ", rtm->rtm_msglen);
 +
 +#define	REQUIRE(x)	do {		\
 +	if (msglen < sizeof(x))		\
 +		goto badlen;		\
 +	else				\
 +		msglen -= sizeof(x);	\
 +	} while (0)
 +
  	switch (rtm->rtm_type) {
  	case RTM_IFINFO:
 +		REQUIRE(struct if_msghdr);
  		ifm = (struct if_msghdr *)rtm;
  		(void) printf("if# %d, ", ifm->ifm_index);
  		switch (ifm->ifm_data.ifi_link_state) {
 @@ -1365,23 +1376,26 @@ print_rtmsg(struct rt_msghdr *rtm, int m
  		}
  		(void) printf("link: %s, flags:", state);
  		bprintf(stdout, ifm->ifm_flags, ifnetflags);
 -		pmsg_addrs((char *)(ifm + 1), ifm->ifm_addrs);
 +		pmsg_addrs((char *)(ifm + 1), ifm->ifm_addrs, msglen);
  		break;
  	case RTM_NEWADDR:
  	case RTM_DELADDR:
 +		REQUIRE(struct ifa_msghdr);
  		ifam = (struct ifa_msghdr *)rtm;
  		(void) printf("metric %d, flags:", ifam->ifam_metric);
  		bprintf(stdout, ifam->ifam_flags, routeflags);
 -		pmsg_addrs((char *)(ifam + 1), ifam->ifam_addrs);
 +		pmsg_addrs((char *)(ifam + 1), ifam->ifam_addrs, msglen);
  		break;
  #ifdef RTM_NEWMADDR
  	case RTM_NEWMADDR:
  	case RTM_DELMADDR:
 +		REQUIRE(struct ifma_msghdr);
  		ifmam = (struct ifma_msghdr *)rtm;
 -		pmsg_addrs((char *)(ifmam + 1), ifmam->ifmam_addrs);
 +		pmsg_addrs((char *)(ifmam + 1), ifmam->ifmam_addrs, msglen);
  		break;
  #endif
  	case RTM_IFANNOUNCE:
 +		REQUIRE(struct if_announcemsghdr);
  		ifan = (struct if_announcemsghdr *)rtm;
  		(void) printf("if# %d, what: ", ifan->ifan_index);
  		switch (ifan->ifan_what) {
 @@ -1402,8 +1416,14 @@ print_rtmsg(struct rt_msghdr *rtm, int m
  		(void) printf("pid: %ld, seq %d, errno %d, flags:",
  			(long)rtm->rtm_pid, rtm->rtm_seq, rtm->rtm_errno);
  		bprintf(stdout, rtm->rtm_flags, routeflags);
 -		pmsg_common(rtm);
 +		pmsg_common(rtm, msglen);
  	}
 +
 +	return;
 +
 +badlen:
 +	(void)printf(errfmt, __func__, msglen);
 +#undef	REQUIRE
  }
  
  static void
 @@ -1491,7 +1511,7 @@ print_getmsg(struct rt_msghdr *rtm, int 
  #undef msec
  #define	RTA_IGN	(RTA_DST|RTA_GATEWAY|RTA_NETMASK|RTA_IFP|RTA_IFA|RTA_BRD)
  	if (verbose)
 -		pmsg_common(rtm);
 +		pmsg_common(rtm, msglen);
  	else if (rtm->rtm_addrs &~ RTA_IGN) {
  		(void) printf("sockaddrs: ");
  		bprintf(stdout, rtm->rtm_addrs, addrnames);
 @@ -1501,17 +1521,21 @@ print_getmsg(struct rt_msghdr *rtm, int 
  }
  
  static void
 -pmsg_common(struct rt_msghdr *rtm)
 +pmsg_common(struct rt_msghdr *rtm, size_t msglen)
  {
  	(void) printf("\nlocks: ");
  	bprintf(stdout, rtm->rtm_rmx.rmx_locks, metricnames);
  	(void) printf(" inits: ");
  	bprintf(stdout, rtm->rtm_inits, metricnames);
 -	pmsg_addrs(((char *)(rtm + 1)), rtm->rtm_addrs);
 +	if (msglen > sizeof(struct rt_msghdr))
 +		pmsg_addrs(((char *)(rtm + 1)), rtm->rtm_addrs,
 +		    msglen - sizeof(struct rt_msghdr));
 +	else
 +		(void) fflush(stdout);
  }
  
  static void
 -pmsg_addrs(char *cp, int addrs)
 +pmsg_addrs(char *cp, int addrs, size_t len)
  {
  	struct sockaddr *sa;
  	int i;
 @@ -1526,7 +1550,12 @@ pmsg_addrs(char *cp, int addrs)
  	for (i = 1; i != 0; i <<= 1)
  		if (i & addrs) {
  			sa = (struct sockaddr *)cp;
 +			if (len == 0 || len < SA_SIZE(sa)) {
 +				(void) printf(errfmt, __func__, len);
 +				break;
 +			}
  			(void) printf(" %s", routename(sa));
 +			len -= SA_SIZE(sa);
  			cp += SA_SIZE(sa);
  		}
  	(void) putchar('\n');
 _______________________________________________
 svn-src-all@freebsd.org mailing list
 http://lists.freebsd.org/mailman/listinfo/svn-src-all
 To unsubscribe, send any mail to "svn-src-all-unsubscribe@freebsd.org"
 
State-Changed-From-To: patched->closed 
State-Changed-By: glebius 
State-Changed-When: Wed Apr 6 17:54:21 UTC 2011 
State-Changed-Why:  
Merged to stable/8. 

http://www.freebsd.org/cgi/query-pr.cgi?pr=151664 
>Unformatted:
