From nobody@FreeBSD.org  Sun Mar 19 13:33:19 2000
Return-Path: <nobody@FreeBSD.org>
Received: from freefall.freebsd.org (freefall.FreeBSD.ORG [204.216.27.21])
	by hub.freebsd.org (Postfix) with ESMTP id 03DEA37B6FE
	for <freebsd-gnats-submit@FreeBSD.org>; Sun, 19 Mar 2000 13:33:19 -0800 (PST)
	(envelope-from nobody@FreeBSD.org)
Received: (from nobody@localhost)
	by freefall.freebsd.org (8.9.3/8.9.2) id NAA69460;
	Sun, 19 Mar 2000 13:33:19 -0800 (PST)
	(envelope-from nobody@FreeBSD.org)
Message-Id: <200003192133.NAA69460@freefall.freebsd.org>
Date: Sun, 19 Mar 2000 13:33:19 -0800 (PST)
From: alo@iki.fi
Sender: nobody@FreeBSD.org
To: freebsd-gnats-submit@FreeBSD.org
Subject: There is a bug in SIOCGIFCONF ioctl code
X-Send-Pr-Version: www-1.0

>Number:         17492
>Category:       kern
>Synopsis:       There is a bug in SIOCGIFCONF ioctl code
>Confidential:   no
>Severity:       serious
>Priority:       medium
>Responsible:    freebsd-bugs
>State:          closed
>Quarter:        
>Keywords:       
>Date-Required:  
>Class:          sw-bug
>Submitter-Id:   current-users
>Arrival-Date:   Sun Mar 19 13:40:01 PST 2000
>Closed-Date:    Mon Aug 21 12:13:08 PDT 2000
>Last-Modified:  Mon Aug 21 12:13:51 PDT 2000
>Originator:     Antti Louko
>Release:        3.4
>Organization:
>Environment:
FreeBSD h.louko.com 3.4-RELEASE FreeBSD 3.4-RELEASE #5: Sun Mar  5 20:52:36 EET 2000     root@h.louko.com:/usr/src/sys/compile/ALOFON  i386
>Description:
There is a bug in net/if.c in function ifconf where variable space
is compared with sizeof(ifr).  sizeof appears to always be
unsigned and int space, which can be negative, gets converted into
unsigned and is a very large number and greater than sizeof(ifr).
>How-To-Repeat:
It may be a little bit tricky to adjust all parameters
but it definitely is possible.
>Fix:
Change all sizeof(ifr) etc into (int)(sizeof(ifr))

>Release-Note:
>Audit-Trail:

From: "Patrick Bihan-Faou" <patrick@mindstep.com>
To: <freebsd-gnats-submit@FreeBSD.org>, <alo@iki.fi>
Cc:  
Subject: Re: kern/17492: There is a bug in SIOCGIFCONF ioctl code
Date: Thu, 30 Mar 2000 11:27:41 -0500

 This bug is the same as described in PR kern/17311.
 
 Basically what goes wrong is that the variable "space" can be decremented
 too much resulting in a negative number.
 
 Then, when you do a compare between space and sizeof(xxx) to verify if there
 is enough room for the next interface config structure, the comparison
 succeeds because with the "signed" int (space) gets silently casted to an
 "unsigned" int, (which of course is fairly large).
 
 
 PR 17311 contains a more complete fix than just changing all sizeof(xxx) to
 (int)sizeof(xxx), which may result in incomplete structures being copied
 over.
 
 Patrick.
 
 
 
State-Changed-From-To: open->closed 
State-Changed-By: johan 
State-Changed-When: Mon Aug 21 12:13:08 PDT 2000 
State-Changed-Why:  
Duplicate of PR 17311 
http://www.FreeBSD.org/cgi/query-pr.cgi?pr=17311 


http://www.freebsd.org/cgi/query-pr.cgi?pr=17492 
>Unformatted:
