From ernie!bert.kts.org!hm@ppp.net  Mon Aug 10 05:02:25 1998
Received: from mail.ppp.net (mail.ppp.net [194.64.12.35])
          by hub.freebsd.org (8.8.8/8.8.8) with ESMTP id FAA28715
          for <FreeBSD-gnats-submit@freebsd.org>; Mon, 10 Aug 1998 05:02:23 -0700 (PDT)
          (envelope-from ernie!bert.kts.org!hm@ppp.net)
Received: from casparc.ppp.net (casparc2.ppp.net [194.64.12.42])
	by mail.ppp.net (8.8.8/8.8.8) with SMTP id OAA06028
	for <FreeBSD-gnats-submit@freebsd.org>; Mon, 10 Aug 1998 14:02:02 +0200
Received: from ernie by casparc.ppp.net with uucp
	(Smail3.1.28.1 #1) id m0z5qeH-002ZjZC; Mon, 10 Aug 98 14:02 MET DST
Received: from bert.kts.org(really [194.55.156.2]) by ernie.kts.org
	via sendmail with smtp
	id <m0z5qMh-00001tC@ernie.kts.org>
	for <FreeBSD-gnats-submit@freebsd.org>; Mon, 10 Aug 1998 13:43:51 +0200 (CEST)
	(Smail-3.2.0.91 1997-Jan-14 #3 built 1998-Feb-14)
Received: by bert.kts.org
	via sendmail with stdio
	id <m0z5qGP-000029C@bert.kts.org>
	for FreeBSD-gnats-submit@freebsd.org; Mon, 10 Aug 1998 13:37:21 +0200 (CEST)
	(Smail-3.2.0.94 1997-Apr-22 #1 built 1998-Jun-6)
Message-Id: <m0z5qGP-000029C@bert.kts.org>
Date: Mon, 10 Aug 1998 13:37:21 +0200 (CEST)
From: hm@kts.org
Reply-To: hm@kts.org
To: FreeBSD-gnats-submit@freebsd.org
Subject: potential sl_compress_init problem in slcompress.c and if_ppp.c
X-Send-Pr-Version: 3.2

>Number:         7556
>Category:       kern
>Synopsis:       sl_compress_init() will fail if called anything else than -1 or >MAX_STATE
>Confidential:   no
>Severity:       non-critical
>Priority:       low
>Responsible:    freebsd-bugs
>State:          suspended
>Quarter:        
>Keywords:       
>Date-Required:  
>Class:          sw-bug
>Submitter-Id:   current-users
>Arrival-Date:   Mon Aug 10 05:10:00 PDT 1998
>Closed-Date:    
>Last-Modified:  Mon Sep 13 05:36:09 GMT 2004
>Originator:     Hellmuth Michaelis
>Release:        FreeBSD 2.2.6-RELEASE i386
>Organization:
Kitchen Table Systems
>Environment:

In environments where Van Jacobsen header compression is needed and the
compression routines in slcompress.c are used for this purpose. This 
report is based on sources from FreeBSD 2.2.5 and 2.2.6.

>Description:

The subroutine sl_compress_init(comp, max_state) in slcompress.c at least
implies, that the state table can be changed to any value dynamically if
called with some appropriate value for max_state.

This is not true, because the corresponding table is initialized by the
hardcoded MAX_STATES value in the header file slcompress.h.

Calling sl_compress_init() with a value greater than MAX_STATES will cause
cause writing outside the slcompress structure - bad things happen.

sl_compress_init() is currently used like this in the kernel PPP driver,
if_ppp.c:

#ifdef VJC
    case PPPIOCSMAXCID:
        if (error = suser(p->p_ucred, &p->p_acflag))
            return (error);
        s = splnet();
        sl_compress_init(&sc->sc_comp, *(int *)data);
        splx(s);
        break;
#endif

in this case, if this ioctl routine is ever issued with a value other
than -1 or with a value greater MAX_STATES, random writes into other
unknown data structures will occur!

>How-To-Repeat:

Call sl_compress_init() with a max_state value of i.e. 64. (Caution:
make a backup before doing this!).

>Fix:

Immediately disable the usage of any parameter for max_state other than
-1 now!

For the future, make the tstate and rstate structures in struct slcompress
resize dynamically so sl_compress_init() is able to do what it should be
able to do.

>Release-Note:
>Audit-Trail:

From: Brian Somers <brian@Awfulhak.org>
To: hm@kts.org
Cc: FreeBSD-gnats-submit@FreeBSD.ORG
Subject: Re: kern/7556: potential sl_compress_init problem in slcompress.c and if_ppp.c 
Date: Mon, 10 Aug 1998 21:29:13 +0100

 > 
 > >Number:         7556
 > >Category:       kern
 > >Synopsis:       sl_compress_init() will fail if called anything else than -1 or >MAX_STATE
 [.....]
 If anyone picks this up (I haven't the time to be involved with 
 pppd), there's an additional problem when a number of states is 
 negotiated that != MAX_STATES.  Namely, it's possible that the peer 
 may agree on (say) 8 states, then proceed to send a header with a 
 slot id of (say) 10.  The end result is that a zero'd slot entry is 
 ``adjusted'' by the VJ deltas and will most likely cause a stack 
 scribble.  We all know what happens to this in kernel mode :-/
 
 This has been fixed in src/usr.sbin/ppp/slcompress.c - but I don't 
 know how compatible the sources are.
 
 -- 
 Brian <brian@Awfulhak.org>, <brian@FreeBSD.org>, <brian@OpenBSD.org>
       <http://www.Awfulhak.org>
 Don't _EVER_ lose your sense of humour....
 
 
State-Changed-From-To: open->suspended 
State-Changed-By: phk 
State-Changed-When: Thu Aug 13 23:10:44 PDT 1998 
State-Changed-Why:  
awaiting patch & committer 
Responsible-Changed-From-To: freebsd-bugs->hm 
Responsible-Changed-By: kris 
Responsible-Changed-When: Sat Jul 12 22:21:05 PDT 2003 
Responsible-Changed-Why:  
hm is a committer, let him decide whether his PR is still valid 

http://www.freebsd.org/cgi/query-pr.cgi?pr=7556 
Responsible-Changed-From-To: hm->freebsd-bugs 
Responsible-Changed-By: linimon 
Responsible-Changed-When: Mon Sep 13 05:35:51 GMT 2004 
Responsible-Changed-Why:  
Reassign to pool; maintainer is away from FreeBSD work due to press 
of other issues these days. 

http://www.freebsd.org/cgi/query-pr.cgi?pr=7556 
>Unformatted:
