From proff@profane.iq.org  Sat Jan 25 11:43:24 1997
Received: from profane.iq.org (profane.iq.org [203.4.184.217])
          by freefall.freebsd.org (8.8.5/8.8.5) with ESMTP id LAA14391;
          Sat, 25 Jan 1997 11:42:33 -0800 (PST)
Received: (from proff@localhost)
          by profane.iq.org (8.8.4/8.8.2) id GAA14741;
          Sun, 26 Jan 1997 06:42:03 +1100 (EST)
Message-Id: <199701251942.GAA14741@profane.iq.org>
Date: Sun, 26 Jan 1997 06:42:03 +1100 (EST)
From: Julian Assange <proff@iq.org>
Reply-To: proff@iq.org
To: FreeBSD-gnats-submit@freebsd.org, dyson@freebsd.org
Subject: various buffer overflow fixes
X-Send-Pr-Version: 3.2

>Number:         2586
>Category:       bin
>Synopsis:       various buffer overflow fixes
>Confidential:   no
>Severity:       critical
>Priority:       high
>Responsible:    imp
>State:          closed
>Quarter:
>Keywords:
>Date-Required:
>Class:          sw-bug
>Submitter-Id:   current-users
>Arrival-Date:   Sat Jan 25 11:50:01 PST 1997
>Closed-Date:    Sun Nov 9 21:18:38 PST 1997
>Last-Modified:  Sun Nov  9 21:19:21 PST 1997
>Originator:     Julian Assange
>Release:        FreeBSD 3.0-CURRENT i386
>Organization:
>Environment:

	

>Description:

	

>How-To-Repeat:

	

>Fix:
	
	

--- src/usr.sbin/syslogd/syslogd.c~	Sun Jan 26 05:50:01 1997
+++ src/usr.sbin/syslogd/syslogd.c	Sun Jan 26 05:50:01 1997
@@ -1155,7 +1155,7 @@
 			 sizeof(f->f_un.f_forw.f_addr));
 		f->f_un.f_forw.f_addr.sin_family = AF_INET;
 		f->f_un.f_forw.f_addr.sin_port = LogPort;
-		memmove(&f->f_un.f_forw.f_addr.sin_addr, hp->h_addr, hp->h_length);
+		memmove(&f->f_un.f_forw.f_addr.sin_addr, hp->h_addr, MIN(hp->h_length,sizeof(struct in_addr));
 		f->f_type = F_FORW;
 		break;
 
--- src/usr.sbin/ppp/ipcp.c~	Sun Jan 26 05:52:32 1997
+++ src/usr.sbin/ppp/ipcp.c	Sun Jan 26 05:52:32 1997
@@ -151,7 +151,7 @@
   if (gethostname(name, sizeof(name)) == 0) {
       hp = gethostbyname(name);
       if (hp && hp->h_addrtype == AF_INET) {
-	bcopy(hp->h_addr, (char *)&DefMyAddress.ipaddr.s_addr, hp->h_length);
+	bcopy(hp->h_addr, (char *)&DefMyAddress.ipaddr.s_addr, MIN(hp->h_length, sizeof DefMyAddress.ipaddr.s_addr));
       }
   }
 }
--- src/usr.sbin/ppp/command.c~	Sun Jan 26 05:51:17 1997
+++ src/usr.sbin/ppp/command.c	Sun Jan 26 05:51:18 1997
@@ -797,7 +797,7 @@
 
   hp = gethostbyname(cp);
   if (hp && hp->h_addrtype == AF_INET)
-    bcopy(hp->h_addr, &ipaddr, hp->h_length);
+    bcopy(hp->h_addr, &ipaddr, MIN(hp->h_length, sizeof ipaddr));
   else if (inet_aton(cp, &ipaddr) == 0)
     ipaddr.s_addr = 0;
   return(ipaddr);
--- src/usr.bin/whois/whois.c~	Sun Jan 26 05:53:49 1997
+++ src/usr.bin/whois/whois.c	Sun Jan 26 05:53:49 1997
@@ -97,7 +97,7 @@
 	}
 	bzero((caddr_t)&sin, sizeof (sin));
 	sin.sin_family = hp->h_addrtype;
-	bcopy(hp->h_addr, (char *)&sin.sin_addr, hp->h_length);
+	bcopy(hp->h_addr, (char *)&sin.sin_addr, MIN(hp->h_length, sin.sin_addr));
 	sp = getservbyname("whois", "tcp");
 	if (sp == NULL) {
 		(void)fprintf(stderr, "whois: whois/tcp: unknown service\n");
--- src/usr.bin/telnet/commands.c~	Sun Jan 26 06:00:52 1997
+++ src/usr.bin/telnet/commands.c	Sun Jan 26 06:00:52 1997
@@ -2200,9 +2200,9 @@
 		sin.sin_family = host->h_addrtype;
 #if	defined(h_addr)		/* In 4.3, this is a #define */
 		memmove((caddr_t)&sin.sin_addr,
-				host->h_addr_list[0], host->h_length);
+				host->h_addr_list[0], MIN(host->h_length, sizeof sin.sin_addr));
 #else	/* defined(h_addr) */
-		memmove((caddr_t)&sin.sin_addr, host->h_addr, host->h_length);
+		memmove((caddr_t)&sin.sin_addr, host->h_addr, MIN(host->h_length, sizeof sin.sin_addr));
 #endif	/* defined(h_addr) */
 		strncpy(_hostname, host->h_name, sizeof(_hostname));
 		_hostname[sizeof(_hostname)-1] = '\0';
@@ -2294,7 +2294,7 @@
 		perror((char *)0);
 		host->h_addr_list++;
 		memcpy((caddr_t)&sin.sin_addr,
-			host->h_addr_list[0], host->h_length);
+			host->h_addr_list[0], MIN(host->h_length, sizeof sin.sin_addr));
 		(void) NetClose(net);
 		continue;
 	    }
@@ -2779,9 +2779,9 @@
 		} else if (host = gethostbyname(cp)) {
 #if	defined(h_addr)
 			memcpy((caddr_t)&sin_addr,
-				host->h_addr_list[0], host->h_length);
+				host->h_addr_list[0], MIN(host->h_length, sizeof sin_addr));
 #else
-			memcpy((caddr_t)&sin_addr, host->h_addr, host->h_length);
+			memcpy((caddr_t)&sin_addr, host->h_addr, MIN(host->h_length, sizeof sin_addr));
 #endif
 		} else {
 			*cpp = cp;
--- src/usr.bin/talk/get_addrs.c~	Sun Jan 26 06:01:50 1997
+++ src/usr.bin/talk/get_addrs.c	Sun Jan 26 06:01:50 1997
@@ -56,7 +56,7 @@
 		herror((char *)NULL);
 		exit(-1);
 	}
-	bcopy(hp->h_addr, (char *) &his_machine_addr, hp->h_length);
+	bcopy(hp->h_addr, (char *) &his_machine_addr, MIN(hp->h_length, sizeof his_machine_addr));
 	if (get_iface(&his_machine_addr, &my_machine_addr) == -1) {
 		perror("failed to find my interface address");
 		exit(-1);
--- src/usr.bin/rpcinfo/rpcinfo.c~	Sun Jan 26 06:03:10 1997
+++ src/usr.bin/rpcinfo/rpcinfo.c	Sun Jan 26 06:03:59 1997
@@ -494,7 +494,7 @@
 		server_addr.sin_family = AF_INET;
 		if ((hp = gethostbyname("localhost")) != NULL)
 			bcopy(hp->h_addr, (caddr_t)&server_addr.sin_addr,
-			    hp->h_length);
+			    MIN(hp->h_length, sizeof server_addr.sin_addr));
 		else
 			server_addr.sin_addr.s_addr = inet_addr("0.0.0.0");
 	}
@@ -660,7 +660,7 @@
 			fprintf(stderr, "rpcinfo: %s is unknown host\n", host);
 			exit(1);
 		}
-		bcopy(hp->h_addr, (char *)&addr->sin_addr, hp->h_length);
+		bcopy(hp->h_addr, (char *)&addr->sin_addr, MIN(hp->h_length, sizeof addr->sin_addr));
 	}
 	addr->sin_family = AF_INET;
 }
--- src/usr.bin/quota/quota.c~	Sun Jan 26 06:04:50 1997
+++ src/usr.bin/quota/quota.c	Sun Jan 26 06:04:50 1997
@@ -702,7 +702,7 @@
 		return ((int) RPC_UNKNOWNHOST);
 	timeout.tv_usec = 0;
 	timeout.tv_sec = 6;
-	bcopy(hp->h_addr, &server_addr.sin_addr, hp->h_length);
+	bcopy(hp->h_addr, &server_addr.sin_addr, MIN(hp->h_length, sizeof server_addr.sin_addr));
 	server_addr.sin_family = AF_INET;
 	server_addr.sin_port =  0;
 
--- src/usr.bin/ftp/ftp.c~	Sun Jan 26 06:07:33 1997
+++ src/usr.bin/ftp/ftp.c	Sun Jan 26 06:07:33 1997
@@ -86,7 +86,7 @@
 {
 	struct hostent *hp = 0;
 	int s, len, tos;
-	static char hostnamebuf[80];
+	static char hostnamebuf[128];
 
 	memset((char *)&hisctladdr, 0, sizeof (hisctladdr));
 	hisctladdr.sin_addr.s_addr = inet_addr(host);
@@ -102,8 +102,9 @@
 		}
 		hisctladdr.sin_family = hp->h_addrtype;
 		memmove((caddr_t)&hisctladdr.sin_addr,
-				hp->h_addr_list[0], hp->h_length);
+				hp->h_addr_list[0], MIN(hp->h_length, sizeof hisctladdr.sin_addr));
 		(void) strncpy(hostnamebuf, hp->h_name, sizeof(hostnamebuf));
+		hostnamebuf[sizeof hostnamebuf]='\0';
 	}
 	hostname = hostnamebuf;
 	s = socket(hisctladdr.sin_family, SOCK_STREAM, 0);
@@ -123,7 +124,7 @@
 			warn("connect to address %s", ia);
 			hp->h_addr_list++;
 			memmove((caddr_t)&hisctladdr.sin_addr,
-					hp->h_addr_list[0], hp->h_length);
+					hp->h_addr_list[0], MIN(hp->h_length, sizeof hisctladdr.sin_addr));
 			fprintf(stdout, "Trying %s...\n",
 				inet_ntoa(hisctladdr.sin_addr));
 			(void) close(s);
--- src/usr.bin/finger/net.c~	Sun Jan 26 06:08:49 1997
+++ src/usr.bin/finger/net.c	Sun Jan 26 06:08:49 1997
@@ -91,7 +91,7 @@
 		return;
 	}
 	sin.sin_family = hp->h_addrtype;
-	bcopy(hp->h_addr, (char *)&sin.sin_addr, hp->h_length);
+	bcopy(hp->h_addr, (char *)&sin.sin_addr, MIN(hp->h_length, sizeof sin.sin_addr));
 	sin.sin_port = sp->s_port;
 	if ((s = socket(hp->h_addrtype, SOCK_STREAM, 0)) < 0) {
 		perror("finger: socket");
--- src/usr.bin/fetch/main.c~	Sun Jan 26 06:09:37 1997
+++ src/usr.bin/fetch/main.c	Sun Jan 26 06:11:06 1997
@@ -30,6 +30,7 @@
 #include <sys/socket.h>
 #include <sys/stat.h>
 #include <sys/time.h>
+#include <sys/param.h>
 #include <stdlib.h>
 #include <stdio.h>
 #include <string.h>
@@ -740,7 +741,7 @@
 	if (!h) 
 	    err (1, "could not lookup host %s.", host);
 	sin.sin_family = h->h_addrtype;
-	bcopy(h->h_addr, (char *)&sin.sin_addr, h->h_length);
+	bcopy(h->h_addr, (char *)&sin.sin_addr, MIN(h->h_length, sizeof sin.sin_addr));
     }
     sin.sin_port = htons (http_port);
     if ((s = socket (sin.sin_family, SOCK_STREAM, 0)) < 0) 
--- src/sbin/umount/umount.c~	Sun Jan 26 06:13:33 1997
+++ src/sbin/umount/umount.c	Sun Jan 26 06:13:33 1997
@@ -250,7 +250,7 @@
 		memset(&saddr, 0, sizeof(saddr));
 		saddr.sin_family = AF_INET;
 		saddr.sin_port = 0;
-		memmove(&saddr.sin_addr, hp->h_addr, hp->h_length);
+		memmove(&saddr.sin_addr, hp->h_addr, MIN(hp->h_length, sizeof saddr.sin_addr));
 		pertry.tv_sec = 3;
 		pertry.tv_usec = 0;
 		so = RPC_ANYSOCK;
--- src/sbin/route/route.c~	Sun Jan 26 06:15:05 1997
+++ src/sbin/route/route.c	Sun Jan 26 06:15:05 1997
@@ -725,7 +725,7 @@
 		if (af == AF_INET && *gateway && hp && hp->h_addr_list[1]) {
 			hp->h_addr_list++;
 			bcopy(hp->h_addr_list[0], &so_gate.sin.sin_addr,
-			    hp->h_length);
+			    MIN(hp->h_length, sizeof so_gate.sin.sin_addr));
 		} else
 			break;
 	}
@@ -989,7 +989,7 @@
 	if (hp) {
 		*hpp = hp;
 		su->sin.sin_family = hp->h_addrtype;
-		bcopy(hp->h_addr, (char *)&su->sin.sin_addr, hp->h_length);
+		bcopy(hp->h_addr, (char *)&su->sin.sin_addr, MIN(hp->h_length, sizeof su->sin.sin_addr));
 		return (1);
 	}
 	errx(EX_NOHOST, "bad address: %s", s);
--- src/sbin/ping/ping.c~	Sun Jan 26 05:12:34 1997
+++ src/sbin/ping/ping.c	Sun Jan 26 05:13:24 1997
@@ -305,7 +305,7 @@
 			exit(1);
 		}
 		to->sin_family = hp->h_addrtype;
-		bcopy(hp->h_addr, (caddr_t)&to->sin_addr, hp->h_length);
+		bcopy(hp->h_addr, (caddr_t)&to->sin_addr, MIN(hp->h_length, sizeof to->sin_addr));
 		(void)strncpy(hnamebuf, hp->h_name, sizeof(hnamebuf) - 1);
 		hostname = hnamebuf;
 	}
--- src/sbin/mount_nfs/mount_nfs.c~	Sun Jan 26 06:18:39 1997
+++ src/sbin/mount_nfs/mount_nfs.c	Sun Jan 26 06:18:39 1997
@@ -609,7 +609,7 @@
 			return (0);
 		}
 	} else if ((hp = gethostbyname(hostp)) != NULL) {
-		bcopy(hp->h_addr, (caddr_t)&saddr.sin_addr, hp->h_length);
+		bcopy(hp->h_addr, (caddr_t)&saddr.sin_addr, MIN(hp->h_length, sizeof saddr.sin_addr));
 	} else {
 		warnx("can't get net id for host");
 		return (0);
@@ -621,7 +621,7 @@
 			warnx("can't reverse resolve net address");
 			return (0);
 		}
-		bcopy(hp->h_addr, (caddr_t)&saddr.sin_addr, hp->h_length);
+		bcopy(hp->h_addr, (caddr_t)&saddr.sin_addr, MIN(hp->h_length, sizeof saddr.sin_addr));
 		strncpy(inst, hp->h_name, INST_SZ);
 		inst[INST_SZ - 1] = '\0';
 		if (cp = strchr(inst, '.'))
--- src/sbin/ifconfig/ifconfig.c~	Sun Jan 26 06:19:44 1997
+++ src/sbin/ifconfig/ifconfig.c	Sun Jan 26 06:19:44 1997
@@ -969,7 +969,7 @@
 	if (inet_aton(s, &sin->sin_addr))
 		return;
 	if ((hp = gethostbyname(s)) != 0)
-		bcopy(hp->h_addr, (char *)&sin->sin_addr, hp->h_length);
+		bcopy(hp->h_addr, (char *)&sin->sin_addr, MIN(hp->h_length, sizeof sin->sin_addr));
 	else if ((np = getnetbyname(s)) != 0)
 		sin->sin_addr = inet_makeaddr(np->n_net, INADDR_ANY);
 	else
--- src/libexec/mail.local/mail.local.c~	Sun Jan 26 06:21:55 1997
+++ src/libexec/mail.local/mail.local.c	Sun Jan 26 06:21:55 1997
@@ -346,7 +346,7 @@
 			return;
 		}
 		addr.sin_family = hp->h_addrtype;
-		memmove(&addr.sin_addr, hp->h_addr, hp->h_length);
+		memmove(&addr.sin_addr, hp->h_addr, MIN(hp->h_length, sizeof addr.sin_addr));
 		addr.sin_port = sp->s_port;
 	}
 	if (f < 0 && (f = socket(AF_INET, SOCK_DGRAM, 0)) == -1) {
--- src/lib/libskey/skeyaccess.c~	Sun Jan 26 06:25:21 1997
+++ src/lib/libskey/skeyaccess.c	Sun Jan 26 06:25:21 1997
@@ -408,12 +408,11 @@
 
     for (i = 0; i < MAX_ADDR && hp->h_addr_list[i]; i++)
 	memcpy((char *) &list[i],
-	       hp->h_addr_list[i], hp->h_length);
+	       hp->h_addr_list[i], (length=MIN(hp->h_length, sizeof (struct in_addr)));
     list[i].s_addr = 0;
 
     strncpy(buf, hp->h_name, MAXHOSTNAMELEN);
     buf[MAXHOSTNAMELEN] = 0;
-    length = hp->h_length;
 
     /*
      * Wipe addresses that appear to belong to someone else. We will get
--- src/lib/libftpio/ftpio.c~	Sun Jan 26 06:40:59 1997
+++ src/lib/libftpio/ftpio.c	Sun Jan 26 06:26:37 1997
@@ -35,6 +35,7 @@
 #include <stdlib.h>
 #include <string.h>
 #include <unistd.h>
+#include <sys/param.h>
 
 #define SUCCESS		 0
 #define FAILURE		-1
@@ -701,7 +702,7 @@
 	    return FAILURE;
 	}
 	ftp->addrtype = sin.sin_family = he->h_addrtype;
-	bcopy(he->h_addr, (char *)&sin.sin_addr, he->h_length);
+	bcopy(he->h_addr, (char *)&sin.sin_addr, MIN(he->h_length, sizeof sin.sin_addr));
     }
 
     sin.sin_port = htons(port);
>Release-Note:
>Audit-Trail:
Responsible-Changed-From-To: gnats-admin->freebsd-bugs 
Responsible-Changed-By: mpp 
Responsible-Changed-When: Sat Jan 25 23:14:33 PST 1997 
Responsible-Changed-Why:  
Misfiled PR. 
Responsible-Changed-From-To: freebsd-bugs->imp 
Responsible-Changed-By: imp 
Responsible-Changed-When: Sat Feb 8 23:44:03 MST 1997 
Responsible-Changed-Why:  
I'll fix this. 
State-Changed-From-To: open->closed 
State-Changed-By: imp 
State-Changed-When: Sun Mar 23 23:41:39 MST 1997 
State-Changed-Why:  

Fixed in termcap.c 1.8 
State-Changed-From-To: closed->open 
State-Changed-By: imp 
State-Changed-When: Tue Oct 14 12:33:42 MDT 1997 
State-Changed-Why:  

Only some of these fixes have been integrated into the tree. 
State-Changed-From-To: open->closed 
State-Changed-By: jkh 
State-Changed-When: Sun Nov 9 21:18:38 PST 1997 
State-Changed-Why:  
Duplicate. 
>Unformatted:
