From nobody@FreeBSD.org  Tue Sep 27 20:15:42 2005
Return-Path: <nobody@FreeBSD.org>
Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125])
	by hub.freebsd.org (Postfix) with ESMTP id CFF8116A41F
	for <freebsd-gnats-submit@FreeBSD.org>; Tue, 27 Sep 2005 20:15:42 +0000 (GMT)
	(envelope-from nobody@FreeBSD.org)
Received: from www.freebsd.org (www.freebsd.org [216.136.204.117])
	by mx1.FreeBSD.org (Postfix) with ESMTP id 9D32043D48
	for <freebsd-gnats-submit@FreeBSD.org>; Tue, 27 Sep 2005 20:15:42 +0000 (GMT)
	(envelope-from nobody@FreeBSD.org)
Received: from www.freebsd.org (localhost [127.0.0.1])
	by www.freebsd.org (8.13.1/8.13.1) with ESMTP id j8RKFgFt021127
	for <freebsd-gnats-submit@FreeBSD.org>; Tue, 27 Sep 2005 20:15:42 GMT
	(envelope-from nobody@www.freebsd.org)
Received: (from nobody@localhost)
	by www.freebsd.org (8.13.1/8.13.1/Submit) id j8RKFgeQ021126;
	Tue, 27 Sep 2005 20:15:42 GMT
	(envelope-from nobody)
Message-Id: <200509272015.j8RKFgeQ021126@www.freebsd.org>
Date: Tue, 27 Sep 2005 20:15:42 GMT
From: Stephen Hurd <shurd@sasktel.net>
To: freebsd-gnats-submit@FreeBSD.org
Subject: natd copy to limied buffer size without checking range
X-Send-Pr-Version: www-2.3

>Number:         86647
>Category:       bin
>Synopsis:       natd(8) copy to limited buffer size without checking range
>Confidential:   no
>Severity:       non-critical
>Priority:       low
>Responsible:    freebsd-bugs
>State:          closed
>Quarter:        
>Keywords:       
>Date-Required:  
>Class:          sw-bug
>Submitter-Id:   current-users
>Arrival-Date:   Tue Sep 27 20:20:22 GMT 2005
>Closed-Date:    Sun Jun 22 21:24:34 UTC 2008
>Last-Modified:  Sun Jun 22 21:30:01 UTC 2008
>Originator:     Stephen Hurd
>Release:        5.3-RELEASE
>Organization:
>Environment:
FreeBSD fw.bbsdev.net 5.3-RELEASE FreeBSD 5.3-RELEASE #4: Fri Sep  2 14:31:49 CST 2005     admin@fw.bbsdev.net:/usr/src/sys/i386/compile/FW  i386

>Description:
      In Setup*Redirect() in natd.c, the params are copied to a fixed-length buffer using strlcpy() then parsed.  For large round-robin redirects, 128 is occasionally not enough bytes.  natd currently truncates the arguments to 128 bytes and then parses.  For a redirect_port such as this:
"redirect_port tcp 192.168.0.13:30023,192.168.0.1:30023,192.168.0.7:30023,192.168.0.12:30023,192.168.0.9:30023,192.168.0.4:3002
3 142.165.59.203:telnet"
This truncates to an invalid line without a message to that effect.
>How-To-Repeat:
      Add a redirect_* line to a natd config file (or on command-line) with more that 128 chars in the params.
>Fix:
      use strdup() to copy the params, or check param length before copying and throw an error if larger than sizeof(buf)-1
>Release-Note:
>Audit-Trail:

From: "Stephen Hurd" <shurd@broadcom.com>
To: bug-followup@FreeBSD.org,
	shurd@sasktel.net
Cc:  
Subject: Re: bin/86647: natd(8) copy to limited buffer size without
 checking range
Date: Thu, 5 Jul 2007 16:44:45 -0700

 ------_=_NextPart_002_01C7BF5E.7792EC6B
 Content-Type: text/plain;
  charset=us-ascii
 Content-Transfer-Encoding: quoted-printable
 
 Patch against current RELENG_6_2.  Fix problem using strdup()
  
 Stephen Hurd
 Senior Engineering Technician 3
 Broadcom Corporation
 949-926-8039
 shurd@broadcom.com
  
 
 ------_=_NextPart_001_01C7BF5E.7792EC6B
 Content-Type: application/octet-stream;
  name=natd.patch
 Content-Transfer-Encoding: base64
 Content-Description: natd.patch
 Content-Disposition: attachment;
  filename=natd.patch
 
 MTU2NmMxNTY2CjwgCWNoYXIJCWJ1ZlsxMjhdOwotLS0KPiAJY2hhcioJCWJ1ZjsKMTU4NWMxNTg1
 LDE1ODgKPCAJc3RybGNweSAoYnVmLCBwYXJtcywgc2l6ZW9mKGJ1ZikpOwotLS0KPiAJYnVmID0g
 c3RyZHVwIChidWYpOwo+IAlpZiAoIWJ1ZikKPiAJCWVycnggKDEsICJyZWRpcmVjdF9wb3J0OiBz
 dHJkdXAoKSBmYWlsZWQiKTsKPiAKMTcwMWExNzA1LDE3MDYKPiAKPiAJZnJlZSAoYnVmKTsKMTcw
 N2MxNzEyCjwgCWNoYXIJCWJ1ZlsxMjhdOwotLS0KPiAJY2hhcioJCWJ1ZjsKMTcxNmMxNzIxLDE3
 MjQKPCAJc3RybGNweSAoYnVmLCBwYXJtcywgc2l6ZW9mKGJ1ZikpOwotLS0KPiAJYnVmID0gc3Ry
 ZHVwIChidWYpOwo+IAlpZiAoIWJ1ZikKPiAJCWVycnggKDEsICJyZWRpcmVjdF9wcm90bzogc3Ry
 ZHVwKCkgZmFpbGVkIik7Cj4gCjE3NTdhMTc2NiwxNzY3Cj4gCj4gCWZyZWUoYnVmKTsKMTc2MmMx
 NzcyCjwgCWNoYXIJCWJ1ZlsxMjhdOwotLS0KPiAJY2hhcioJCWJ1ZjsKMTc3MGMxNzgwLDE3ODMK
 PCAJc3RybGNweSAoYnVmLCBwYXJtcywgc2l6ZW9mKGJ1ZikpOwotLS0KPiAJYnVmID0gc3RyZHVw
 IChidWYpOwo+IAlpZiAoIWJ1ZikKPiAJCWVycnggKDEsICJyZWRpcmVjdF9hZGRyZXNzOiBzdHJk
 dXAoKSBmYWlsZWQiKTsKPiAKMTgwNmExODIwLDE4MjEKPiAKPiAJZnJlZShidWYpOwo=
 
 ------_=_NextPart_001_01C7BF5E.7792EC6B--
 

From: "Stephen Hurd" <shurd@broadcom.com>
To: bug-followup@FreeBSD.org,
	shurd@sasktel.net
Cc:  
Subject: Re: bin/86647: natd(8) copy to limited buffer size without
 checking range
Date: Fri, 6 Jul 2007 11:08:30 -0700

 This is a multi-part message in MIME format.
 
 ------_=_NextPart_001_01C7BFF8.A99E39E8
 Content-Type: multipart/alternative;
  boundary="----_=_NextPart_002_01C7BFF8.A99E39E8"
 Content-Transfer-Encoding: 7bit
 
 
 ------_=_NextPart_002_01C7BFF8.A99E39E8
 Content-Type: text/plain;
  charset=us-ascii
 Content-Transfer-Encoding: quoted-printable
 
 Bah.  Outlook sucks.  Hopefully renaming the .patch to .txt results in
 it not being B64 encoded.
 =20
 Stephen Hurd
 Senior Engineering Technician 3
 Broadcom Corporation
 949-926-8039
 shurd@broadcom.com=20
 =20
 
 ------_=_NextPart_002_01C7BFF8.A99E39E8
 Content-Type: text/html;
  charset=us-ascii
 Content-Transfer-Encoding: quoted-printable
 
 <!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.0 Transitional//EN">
 <HTML><HEAD>
 <META http-equiv=3DContent-Type content=3D"text/html; =
 charset=3Dus-ascii">
 <META content=3D"MSHTML 6.00.2900.3059" name=3DGENERATOR></HEAD>
 <BODY>
 <DIV><SPAN class=3D105450718-06072007><FONT face=3DArial =
 size=3D2>Bah.&nbsp; Outlook=20
 sucks.&nbsp; Hopefully renaming the .patch to .txt results in it not =
 being B64=20
 encoded.</FONT></SPAN></DIV>
 <DIV>&nbsp;</DIV>
 <DIV align=3Dleft>Stephen Hurd<BR>Senior Engineering Technician =
 3<BR>Broadcom=20
 Corporation<BR>949-926-8039<BR><A=20
 href=3D"mailto:shurd@broadcom.com">shurd@broadcom.com</A> </DIV>
 <DIV>&nbsp;</DIV></BODY></HTML>
 
 ------_=_NextPart_002_01C7BFF8.A99E39E8--
 
 ------_=_NextPart_001_01C7BFF8.A99E39E8
 Content-Type: text/plain;
  name=natd.txt
 Content-Transfer-Encoding: base64
 Content-Description: natd.txt
 Content-Disposition: attachment;
  filename=natd.txt
 
 MTU2NmMxNTY2CjwgCWNoYXIJCWJ1ZlsxMjhdOwotLS0KPiAJY2hhcioJCWJ1ZjsKMTU4NWMxNTg1
 LDE1ODgKPCAJc3RybGNweSAoYnVmLCBwYXJtcywgc2l6ZW9mKGJ1ZikpOwotLS0KPiAJYnVmID0g
 c3RyZHVwIChidWYpOwo+IAlpZiAoIWJ1ZikKPiAJCWVycnggKDEsICJyZWRpcmVjdF9wb3J0OiBz
 dHJkdXAoKSBmYWlsZWQiKTsKPiAKMTcwMWExNzA1LDE3MDYKPiAKPiAJZnJlZSAoYnVmKTsKMTcw
 N2MxNzEyCjwgCWNoYXIJCWJ1ZlsxMjhdOwotLS0KPiAJY2hhcioJCWJ1ZjsKMTcxNmMxNzIxLDE3
 MjQKPCAJc3RybGNweSAoYnVmLCBwYXJtcywgc2l6ZW9mKGJ1ZikpOwotLS0KPiAJYnVmID0gc3Ry
 ZHVwIChidWYpOwo+IAlpZiAoIWJ1ZikKPiAJCWVycnggKDEsICJyZWRpcmVjdF9wcm90bzogc3Ry
 ZHVwKCkgZmFpbGVkIik7Cj4gCjE3NTdhMTc2NiwxNzY3Cj4gCj4gCWZyZWUoYnVmKTsKMTc2MmMx
 NzcyCjwgCWNoYXIJCWJ1ZlsxMjhdOwotLS0KPiAJY2hhcioJCWJ1ZjsKMTc3MGMxNzgwLDE3ODMK
 PCAJc3RybGNweSAoYnVmLCBwYXJtcywgc2l6ZW9mKGJ1ZikpOwotLS0KPiAJYnVmID0gc3RyZHVw
 IChidWYpOwo+IAlpZiAoIWJ1ZikKPiAJCWVycnggKDEsICJyZWRpcmVjdF9hZGRyZXNzOiBzdHJk
 dXAoKSBmYWlsZWQiKTsKPiAKMTgwNmExODIwLDE4MjEKPiAKPiAJZnJlZShidWYpOwo=
 
 ------_=_NextPart_001_01C7BFF8.A99E39E8--
 
State-Changed-From-To: open->closed 
State-Changed-By: mav 
State-Changed-When: Sun Jun 22 21:23:57 UTC 2008 
State-Changed-Why:  
Patch committed to the HEAD. 

http://www.freebsd.org/cgi/query-pr.cgi?pr=86647 

From: dfilter@FreeBSD.ORG (dfilter service)
To: bug-followup@FreeBSD.org
Cc:  
Subject: Re: bin/86647: commit references a PR
Date: Sun, 22 Jun 2008 21:22:44 +0000 (UTC)

 mav         2008-06-22 21:22:25 UTC
 
   FreeBSD src repository
 
   Modified files:
     sbin/natd            natd.c 
   Log:
   SVN rev 179935 on 2008-06-22 21:22:25Z by mav
   
   Use strdup() instead of static buffer allocation to avoid 128 bytes limit
   on -redirect_XXX arguments length.
   
   PR:             bin/86647
   Submitted by:   Stephen Hurd <shurd@sasktel.net>
   
   Revision  Changes    Path
   1.52      +18 -6     src/sbin/natd/natd.c
 _______________________________________________
 cvs-all@freebsd.org mailing list
 http://lists.freebsd.org/mailman/listinfo/cvs-all
 To unsubscribe, send any mail to "cvs-all-unsubscribe@freebsd.org"
 
>Unformatted:
