From proff@profane.iq.org  Sat Jan 25 10:47:25 1997
Received: from profane.iq.org (profane.iq.org [203.4.184.217])
          by freefall.freebsd.org (8.8.5/8.8.5) with ESMTP id KAA12358;
          Sat, 25 Jan 1997 10:47:15 -0800 (PST)
Received: (from proff@localhost)
          by profane.iq.org (8.8.4/8.8.2) id FAA14157;
          Sun, 26 Jan 1997 05:47:18 +1100 (EST)
Message-Id: <199701251847.FAA14157@profane.iq.org>
Date: Sun, 26 Jan 1997 05:47:18 +1100 (EST)
From: Julian Assange <proff@iq.org>
Reply-To: proff@iq.org
To: FreeBSD-gnats-submit@freebsd.org, dyson@freebsd.org, Pavel@PARC.Xerox.Com,
        fenner@PARC.Xerox.Com
Subject: security problems with mrouted
X-Send-Pr-Version: 3.2

>Number:         2585
>Category:       bin
>Synopsis:       [security] possible buffer overflows in mrouted
>Confidential:   no
>Severity:       non-critical
>Priority:       low
>Responsible:    fenner
>State:          closed
>Quarter:
>Keywords:
>Date-Required:
>Class:          sw-bug
>Submitter-Id:   current-users
>Arrival-Date:   Sat Jan 25 10:50:01 PST 1997
>Closed-Date:    Sun Feb 9 17:31:50 PST 1997
>Last-Modified:  Sun Feb  9 17:33:20 PST 1997
>Originator:     Julian Assange
>Release:        FreeBSD 3.0-CURRENT i386
>Organization:
>Environment:

	

>Description:

	h_length attacks in mrouted possible

	

>How-To-Repeat:

	

>Fix:
	
	

cd src/usr.sbin/mrouted and patch


--- mapper.c~	Sun Jan 26 05:43:08 1997
+++ mapper.c	Sun Jan 26 05:42:22 1997
@@ -827,7 +827,7 @@
     int addr;
 
     if (e)
-	memcpy(&addr, e->h_addr_list[0], e->h_length);
+	memcpy(&addr, e->h_addr_list[0], MIN(e->h_length, sizeof addr));
     else {
 	addr = inet_addr(name);
 	if (addr == -1)
--- mrinfo.c~	Sun Jan 26 05:35:27 1997
+++ mrinfo.c	Sun Jan 26 05:35:27 1997
@@ -392,7 +392,7 @@
 
 	/* Check all addresses; mrouters often have unreachable interfaces */
 	for (curaddr = 0; hp->h_addr_list[curaddr] != NULL; curaddr++) {
-	    memcpy(&target_addr, hp->h_addr_list[curaddr], hp->h_length);
+	    memcpy(&target_addr, hp->h_addr_list[curaddr], MIN(hp->h_length, sizeof target_addr));
 	    {			/* Find a good local address for us. */
 		int     udp;
 		struct sockaddr_in addr;
--- mtrace.c~	Sun Jan 26 05:36:42 1997
+++ mtrace.c	Sun Jan 26 05:36:42 1997
@@ -759,7 +759,7 @@
     *op = '\0';
 
     if (dots <= 0) e = gethostbyname(name);
-    if (e) memcpy((char *)&addr, e->h_addr_list[0], e->h_length);
+    if (e) memcpy((char *)&addr, e->h_addr_list[0], MIN(e->h_length, sizeof addr));
     else {
 	addr = inet_addr(buf);
 	if (addr == -1 || (IN_MULTICAST(addr) && dots)) {
>Release-Note:
>Audit-Trail:
Responsible-Changed-From-To: gnats-admin->fenner 
Responsible-Changed-By: fenner 
Responsible-Changed-When: Sat Jan 25 13:08:07 PST 1997 
Responsible-Changed-Why:  
fenner's responsible for mrouted code 
State-Changed-From-To: open->closed 
State-Changed-By: fenner 
State-Changed-When: Sun Feb 9 17:31:50 PST 1997 
State-Changed-Why:  
Fixed in -current, RELENG_2_1_0, and RELENG_2_2 in a slightly 
different manner.  (If the address length is wrong, just pretend 
we got no answer, since using the first 4 bytes of a wrong-length 
answer isn't likely to be useful.) 
>Unformatted:
