From kato@eclogite.eps.nagoya-u.ac.jp  Fri Apr 11 04:49:03 1997
Received: from gneiss.eps.nagoya-u.ac.jp (gneiss.eps.nagoya-u.ac.jp [133.6.57.99])
          by freefall.freebsd.org (8.8.5/8.8.5) with ESMTP id EAA12731
          for <FreeBSD-gnats-submit@freebsd.org>; Fri, 11 Apr 1997 04:48:58 -0700 (PDT)
Received: (from kato@localhost) by gneiss.eps.nagoya-u.ac.jp (8.8.5/3.4W4) id UAA00718; Fri, 11 Apr 1997 20:48:51 +0900 (JST)
Message-Id: <199704111148.UAA00718@gneiss.eps.nagoya-u.ac.jp>
Date: Fri, 11 Apr 1997 20:48:51 +0900 (JST)
From: kato@eclogite.eps.nagoya-u.ac.jp
Reply-To: kato@eclogite.eps.nagoya-u.ac.jp
To: FreeBSD-gnats-submit@freebsd.org
Subject: cn_pnbuf overflow
X-Send-Pr-Version: 3.2

>Number:         3255
>Category:       kern
>Synopsis:       cn_pnbuf in union_vn_create overflow
>Confidential:   no
>Severity:       critical
>Priority:       high
>Responsible:    freebsd-bugs
>State:          closed
>Quarter:
>Keywords:
>Date-Required:
>Class:          sw-bug
>Submitter-Id:   current-users
>Arrival-Date:   Fri Apr 11 04:50:00 PDT 1997
>Closed-Date:    Sat Apr 12 23:25:13 PDT 1997
>Last-Modified:  Sat Apr 12 23:25:48 PDT 1997
>Originator:     KATO Takenori
>Release:        FreeBSD 2.2-STABLE i386
>Organization:
Dept. Earth Planet. Sci, Nagoya Univ.
>Environment:

	

>Description:

Though malloc allocates only cn.cn_namelen bytes for cn.cn_pnbuf in
union_vn_create(), following bcopy copies cn.cn_namlen + 1 bytes to
cn.cn_pnbuf.

>How-To-Repeat:

	

>Fix:

Obtained from:	NetBSD/pc98

Following patch is generated from RELENG_2_2 branch, problem exist
also in 3.0-current.

*** union_subr.c.ORIG	Fri Apr 11 20:34:55 1997
--- union_subr.c	Fri Apr 11 20:35:16 1997
***************
*** 660,666 ****
  	 * copied in the first place).
  	 */
  	cn.cn_namelen = strlen(un->un_path);
! 	cn.cn_pnbuf = (caddr_t) malloc(cn.cn_namelen, M_NAMEI, M_WAITOK);
  	bcopy(un->un_path, cn.cn_pnbuf, cn.cn_namelen+1);
  	cn.cn_nameiop = CREATE;
  	cn.cn_flags = (LOCKPARENT|HASBUF|SAVENAME|SAVESTART|ISLASTCN);
--- 660,666 ----
  	 * copied in the first place).
  	 */
  	cn.cn_namelen = strlen(un->un_path);
! 	cn.cn_pnbuf = (caddr_t) malloc(cn.cn_namelen+1, M_NAMEI, M_WAITOK);
  	bcopy(un->un_path, cn.cn_pnbuf, cn.cn_namelen+1);
  	cn.cn_nameiop = CREATE;
  	cn.cn_flags = (LOCKPARENT|HASBUF|SAVENAME|SAVESTART|ISLASTCN);

>Release-Note:
>Audit-Trail:
State-Changed-From-To: open->closed 
State-Changed-By: phk 
State-Changed-When: Sat Apr 12 23:25:13 PDT 1997 
State-Changed-Why:  
committed, thanks! 
>Unformatted:
