From futatuki@adin.co.jp Tue Mar 23 20:00:32 1999
Return-Path: <futatuki@adin.co.jp>
Received: from azusa.adin.co.jp (mail.adin.co.jp [202.213.164.130])
	by hub.freebsd.org (Postfix) with ESMTP id 07CA215321
	for <FreeBSD-gnats-submit@freebsd.org>; Tue, 23 Mar 1999 20:00:27 -0800 (PST)
	(envelope-from futatuki@adin.co.jp)
Received: from sheep.adin.co.jp (sheep.adin.co.jp [172.16.17.226])
	by azusa.adin.co.jp (8.8.8/8.8.8) with ESMTP id NAA19993
	for <FreeBSD-gnats-submit@freebsd.org>; Wed, 24 Mar 1999 13:00:52 +0900 (JST)
Received: (from futatuki@localhost)
	by sheep.adin.co.jp (8.8.8/8.8.8) id MAA01108;
	Wed, 24 Mar 1999 12:57:54 +0900 (JST)
	(envelope-from futatuki)
Message-Id: <199903240357.MAA01108@sheep.adin.co.jp>
Date: Wed, 24 Mar 1999 12:57:54 +0900 (JST)
From: futatuki@fureai.or.jp
Sender: futatuki@adin.co.jp
Reply-To: futatuki@fureai.or.jp
To: FreeBSD-gnats-submit@freebsd.org
Subject: buffer over run on msgrcv() system call
X-Send-Pr-Version: 3.2

>Number:         10765
>Category:       kern
>Synopsis:       buffer over run on msgrcv() system call
>Confidential:   no
>Severity:       serious
>Priority:       medium
>Responsible:    freebsd-bugs
>State:          closed
>Quarter:        
>Keywords:       
>Date-Required:  
>Class:          sw-bug
>Submitter-Id:   current-users
>Arrival-Date:   Tue Mar 23 20:10:00 PST 1999
>Closed-Date:    Wed Apr 21 06:30:14 PDT 1999
>Last-Modified:  Wed Apr 21 06:31:04 PDT 1999
>Originator:     Yasuhito FUTATSUKI
>Release:        FreeBSD 3.1-RELEASE i386
>Organization:
>Environment:
  FreeBSD 3.1-RELEASE i386 / FreeBSD 2.2.7-RELEASE i386 

>Description:

msgrcv(msqid, msgp, msgsz, msgtyp, msgflg) copies larger size of
sage data than specified in msgsz when

  1. msgsz is larger than `msgssz', and
  2. msgsz is not multiples of `msgssz'

where msgssz is the size of message segment in bytes, which is
specified in kernel configration option MSGSSZ, the default is 8.

>How-To-Repeat:

Assume msgssz is 8, message que of id msgid is accessable,
a message of type msgtyp and size 20 bytes was sent, then

  struct {
    long mtype; 
    char mtext[20];
    long some_data; 
  } mymsg;

  msgrcv(msqid, (void*)mymsg, 20, msgtyp, 0);

will crash mymsg.some_data .

>Fix:

*** sys/kern/sysv_msg.c.dist	Mon Mar 30 18:50:35 1998
--- sys/kern/sysv_msg.c	Wed Mar 24 10:52:34 1999
***************
*** 993,1002 ****
  	for (len = 0; len < msgsz; len += msginfo.msgssz) {
  		size_t tlen;
  
! 		if (msgsz > msginfo.msgssz)
  			tlen = msginfo.msgssz;
  		else
! 			tlen = msgsz;
  		if (next <= -1)
  			panic("next too low #3");
  		if (next >= msginfo.msgseg)
--- 993,1002 ----
  	for (len = 0; len < msgsz; len += msginfo.msgssz) {
  		size_t tlen;
  
! 		if (msgsz - len > msginfo.msgssz)
  			tlen = msginfo.msgssz;
  		else
! 			tlen = msgsz -len;
  		if (next <= -1)
  			panic("next too low #3");
  		if (next >= msginfo.msgseg)

>Release-Note:
>Audit-Trail:

From: futatuki@fureai.or.jp (Yasuhito FUTATSUKI)
To: FreeBSD-gnats-submit@freebsd.org
Cc: futatuki@fureai.or.jp
Subject: Re: kern/10765: buffer over run on msgrcv() system call
Date: Fri, 26 Mar 1999 05:34:05 +0900 (JST)

 Correct some typo, careless mistakes.
 
 > >Description:
 > 
 > msgrcv(msqid, msgp, msgsz, msgtyp, msgflg) copies larger size of
 > sage data than specified in msgsz when
   ^^^^
   message
  
 >   1. msgsz is larger than `msgssz', and
 >   2. msgsz is not multiples of `msgssz'
 > 
 > where msgssz is the size of message segment in bytes, which is
 > specified in kernel configration option MSGSSZ, the default is 8.
 > 
 > >How-To-Repeat:
 > 
 > Assume msgssz is 8, message que of id msgid is accessable,
 > a message of type msgtyp and size 20 bytes was sent, then
 > 
 >   struct {
 >     long mtype; 
 >     char mtext[20];
 >     long some_data; 
 >   } mymsg;
 > 
 >   msgrcv(msqid, (void*)mymsg, 20, msgtyp, 0);
     msgrcv(msqid, (void*)&mymsg, 20, msgtyp, 0);
                           
 > will crash mymsg.some_data .
 
 > > Fix:
 
 I verified with
 
   $Id: sysv_msg.c,v 1.18 1998/03/30 09:50:35 phk Exp $ (for 3.x) and 
   $Id: sysv_msg.c,v 1.13 1996/08/31 14:47:57 bde Exp $ (for 2.2.x).
 
 As I read
 
   $Id: sysv_msg.c,v 1.19 1999/01/30 12:21:48 phk Exp $ (for 4.0) ,
 
 I think 4.0-CURRENT has same problem and the patch can be applied also.
 
   -- Yasuhito FUTATSUKI
 

From: Yasuhito FUTATSUKI <futatuki@fureai.or.jp>
To: freebsd-gnats-submit@freebsd.org, futatuki@fureai.or.jp
Cc: futatuki@fureai.or.jp
Subject: Re: kern/10765
Date: Mon, 19 Apr 1999 16:05:08 +0900 (JST)

 This problem was not only FreeBSD's but also NetBSD/OpenBSD's.
 So I sent probrem report to NetBSD/OpenBSD's GNATS DB.
 
 Submit IDs are kern/7386 on NetBSD, kernel/803 on OpenBSD. 
 Probrem report on OpenBSD was closed at Sun, 18 Apr 1999
 12:24:54 -0600 (MDT) . 
 
  -- Yasuhito FUTATSUKI
 
State-Changed-From-To: open->closed 
State-Changed-By: sada 
State-Changed-When: Wed Apr 21 06:30:14 PDT 1999 
State-Changed-Why:  
Cmmitted, at last!! :) 
>Unformatted:
