From nobody@FreeBSD.org  Sat May  8 06:33:55 2004
Return-Path: <nobody@FreeBSD.org>
Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125])
	by hub.freebsd.org (Postfix) with ESMTP id BD1CF16A4CE
	for <freebsd-gnats-submit@FreeBSD.org>; Sat,  8 May 2004 06:33:55 -0700 (PDT)
Received: from www.freebsd.org (www.freebsd.org [216.136.204.117])
	by mx1.FreeBSD.org (Postfix) with ESMTP id 858F043D48
	for <freebsd-gnats-submit@FreeBSD.org>; Sat,  8 May 2004 06:33:55 -0700 (PDT)
	(envelope-from nobody@FreeBSD.org)
Received: from www.freebsd.org (localhost [127.0.0.1])
	by www.freebsd.org (8.12.11/8.12.11) with ESMTP id i48DXtuj039013
	for <freebsd-gnats-submit@FreeBSD.org>; Sat, 8 May 2004 06:33:55 -0700 (PDT)
	(envelope-from nobody@www.freebsd.org)
Received: (from nobody@localhost)
	by www.freebsd.org (8.12.11/8.12.11/Submit) id i48DXtnd039011;
	Sat, 8 May 2004 06:33:55 -0700 (PDT)
	(envelope-from nobody)
Message-Id: <200405081333.i48DXtnd039011@www.freebsd.org>
Date: Sat, 8 May 2004 06:33:55 -0700 (PDT)
From: Andrei Iltchenko <iltchenko@yahoo.com>
To: freebsd-gnats-submit@FreeBSD.org
Subject: Buffer overrun in the 'in_pcbopts' function.
X-Send-Pr-Version: www-2.3

>Number:         66386
>Category:       kern
>Synopsis:       Buffer overrun in the 'in_pcbopts' function.
>Confidential:   no
>Severity:       serious
>Priority:       medium
>Responsible:    maxim
>State:          closed
>Quarter:        
>Keywords:       
>Date-Required:  
>Class:          sw-bug
>Submitter-Id:   current-users
>Arrival-Date:   Sat May 08 06:40:18 PDT 2004
>Closed-Date:    Tue Jun 01 00:46:27 PDT 2004
>Last-Modified:  Tue Jun 01 00:46:27 PDT 2004
>Originator:     Andrei Iltchenko
>Release:        FreeBSD 4.7
>Organization:
Compuware
>Environment:
FreeBSD glora.wanadoo.nl 4.7-RC FreeBSD 4.7-RC #1: Sun Sep 29 16:33FreeBSD glora.wanadoo.nl 4.7-RC FreeBSD 4.7-RC #1: Sun Sep 29 16:33:54 CEST 2002     root@:/usr/src/sys/compile/GLORA  i386:54 CEST 2002     root@:/usr/src/sys/compile/GLORA  i386
>Description:
      The 'ip_pcbopts' function from 'ip_output.c' features a buffer overrun which
takes place whenever either an 'IPOPT_LSRR' or an 'IPOPT_SSRR' option is supplied.
     Here's the offending piece of code:
                        /*
                         * Then copy rest of options back
                         * to close up the deleted entry.
                         */
                        ovbcopy((caddr_t)(&cp[IPOPT_OFFSET+1] +
                            sizeof(struct in_addr)),
                            (caddr_t)&cp[IPOPT_OFFSET+1],
                            (unsigned)cnt + sizeof(struct in_addr));
                        break;
 
The problem in question is the last argument in the above call to
'ovbcopy', which runs over the end of the buffer by 7 bytes (i386).
>How-To-Repeat:
      
>Fix:
      The call to 'ovbcopy' should be rewritten to read:
                        /*
                         * Then copy rest of options back
                         * to close up the deleted entry.
                         */
                        ovbcopy((caddr_t)(&cp[IPOPT_OFFSET+1] +
                            sizeof(struct in_addr)),
                            (caddr_t)&cp[IPOPT_OFFSET+1],
                            (unsigned)cnt - IPOPT_MINOFF-1);
                        break;
>Release-Note:
>Audit-Trail:

From: Maxim Konovalov <maxim@macomnet.ru>
To: Andrei Iltchenko <iltchenko@yahoo.com>
Cc: bug-followup@freebsd.org
Subject: Re: kern/66386: Buffer overrun in the 'in_pcbopts' function.
Date: Sun, 9 May 2004 17:44:23 +0400 (MSD)

 On Sat, 8 May 2004, 06:33-0700, Andrei Iltchenko wrote:
 [...]
 > >Description:
 >       The 'ip_pcbopts' function from 'ip_output.c' features a buffer overrun which
 > takes place whenever either an 'IPOPT_LSRR' or an 'IPOPT_SSRR' option is supplied.
 >      Here's the offending piece of code:
 >                         /*
 >                          * Then copy rest of options back
 >                          * to close up the deleted entry.
 >                          */
 >                         ovbcopy((caddr_t)(&cp[IPOPT_OFFSET+1] +
 >                             sizeof(struct in_addr)),
 >                             (caddr_t)&cp[IPOPT_OFFSET+1],
 >                             (unsigned)cnt + sizeof(struct in_addr));
 >                         break;
 >
 > The problem in question is the last argument in the above call to
 > 'ovbcopy', which runs over the end of the buffer by 7 bytes (i386).
 > >How-To-Repeat:
 >
 > >Fix:
 >       The call to 'ovbcopy' should be rewritten to read:
 >                         /*
 >                          * Then copy rest of options back
 >                          * to close up the deleted entry.
 >                          */
 >                         ovbcopy((caddr_t)(&cp[IPOPT_OFFSET+1] +
 >                             sizeof(struct in_addr)),
 >                             (caddr_t)&cp[IPOPT_OFFSET+1],
 >                             (unsigned)cnt - IPOPT_MINOFF-1);
 >                         break;
 
 Did you mean "(unsigned)cnt - (IPOPT_MINOFF - 1))"?
 
 Index: ip_output.c
 ===================================================================
 RCS file: /home/ncvs/src/sys/netinet/ip_output.c,v
 retrieving revision 1.215
 diff -u -r1.215 ip_output.c
 --- ip_output.c	14 Apr 2004 01:13:14 -0000	1.215
 +++ ip_output.c	9 May 2004 13:40:41 -0000
 @@ -1735,7 +1735,7 @@
  			 */
  			bcopy((&cp[IPOPT_OFFSET+1] + sizeof(struct in_addr)),
  			    &cp[IPOPT_OFFSET+1],
 -			    (unsigned)cnt + sizeof(struct in_addr));
 +			    (unsigned)cnt - (IPOPT_MINOFF - 1));
  			break;
  		}
  	}
 %%%
 
 -- 
 Maxim Konovalov

From: Andrei Iltchenko <iltchenko@yahoo.com>
To: Maxim Konovalov <maxim@macomnet.ru>
Cc: bug-followup@freebsd.org
Subject: Re: kern/66386: Buffer overrun in the 'in_pcbopts' function.
Date: Mon, 10 May 2004 12:53:14 -0700 (PDT)

 Yes, I did mean "(unsigned)cnt - (IPOPT_MINOFF - 1))".
 Sorry for the slipup.
 
 Regards,
 Andrei.
 
 --- Maxim Konovalov <maxim@macomnet.ru> wrote:
 > 
 > Did you mean "(unsigned)cnt - (IPOPT_MINOFF - 1))"?
 > 
 > Index: ip_output.c
 >
 ===================================================================
 > RCS file: /home/ncvs/src/sys/netinet/ip_output.c,v
 > retrieving revision 1.215
 > diff -u -r1.215 ip_output.c
 > --- ip_output.c	14 Apr 2004 01:13:14 -0000	1.215
 > +++ ip_output.c	9 May 2004 13:40:41 -0000
 > @@ -1735,7 +1735,7 @@
 >  			 */
 >  			bcopy((&cp[IPOPT_OFFSET+1] + sizeof(struct
 > in_addr)),
 >  			    &cp[IPOPT_OFFSET+1],
 > -			    (unsigned)cnt + sizeof(struct in_addr));
 > +			    (unsigned)cnt - (IPOPT_MINOFF - 1));
 >  			break;
 >  		}
 >  	}
 > %%%
 > 
 > -- 
 > Maxim Konovalov
 
 
 
 	
 		
 __________________________________
 Do you Yahoo!?
 Win a $20,000 Career Makeover at Yahoo! HotJobs  
 http://hotjobs.sweepstakes.yahoo.com/careermakeover 
Responsible-Changed-From-To: freebsd-bugs->maxim 
Responsible-Changed-By: maxim 
Responsible-Changed-When: Tue May 11 01:34:16 PDT 2004 
Responsible-Changed-Why:  
Over to IP options addict. 

http://www.freebsd.org/cgi/query-pr.cgi?pr=66386 
State-Changed-From-To: open->patched 
State-Changed-By: maxim 
State-Changed-When: Tue May 11 12:27:41 PDT 2004 
State-Changed-Why:  
Fixed in -CURRENT, thanks! 

http://www.freebsd.org/cgi/query-pr.cgi?pr=66386 
State-Changed-From-To: patched->closed 
State-Changed-By: maxim 
State-Changed-When: Tue Jun 1 00:46:02 PDT 2004 
State-Changed-Why:  
Fixed in -STABLE as well. 

http://www.freebsd.org/cgi/query-pr.cgi?pr=66386 
>Unformatted:
