>Number: 6500
>Category: user
>Synopsis: sbin/route/route.c: Incorrect array bounds checking
>Confidential: yes
>Severity: serious
>Priority: medium
>Responsible: bugs
>State: open
>Quarter:
>Keywords:
>Date-Required:
>Class: sw-bug
>Submitter-Id: unknown
>Arrival-Date: Sun Oct 24 18:40:01 GMT 2010
>Closed-Date:
>Last-Modified:
>Originator:
>Release:
>Organization:
>Environment:
System : OpenBSD 4.7
Details : OpenBSD 4.7-current (BOGGIS) #0: Tue May 25 10:16:10 EDT
2010
[email protected]:/usr/src/sys/arch/i386/compile/BOGGIS
Architecture: OpenBSD.i386
Machine : i386
>Description:
sbin/route/route.c have incorrect bounds checking of msgtypes[] in
print_rtmsg():
char *msgtypes[] = {
"",
"RTM_ADD: Add Route",
"RTM_DELETE: Delete Route",
...
NULL
};
...
void
print_rtmsg(struct rt_msghdr *rtm, int msglen)
{
...
printf("%s: len %d", msgtypes[rtm->rtm_type], rtm->rtm_msglen);
...
There is also no checks for received message length (msglen) there.
>How-To-Repeat:
Run `route monitor` and send invalid message to PF_ROUTE socket:
littlesav...@wolfman $ route monitor &
[1] 4183
littlesav...@wolfman $ perl -MSocket -e 'socket(SOCK, PF_ROUTE,
SOCK_RAW, 0); syswrite(SOCK, pack("Scc",4,4,0x20));'
got message of size 4 on Sun Oct 24 14:26:47 2010
[1]+ Segmentation fault (core dumped) route monitor
>Fix:
dmesg:
OpenBSD 4.7-current (BOGGIS) #0: Tue May 25 10:16:10 EDT 2010
[email protected]:/usr/src/sys/arch/i386/compile/BOGGIS
cpu0: Intel(R) Xeon(TM) CPU 3.20GHz ("GenuineIntel" 686-class) 3.20 GHz
cpu0:
FPU,V86,DE,PSE,TSC,MSR,PAE,MCE,CX8,APIC,SEP,MTRR,PGE,MCA,CMOV,PAT,PSE36,CFLUSH,DS,ACPI,MMX,FXSR,SSE,SSE2,SS,HTT,TM,SBF,SSE3,MWAIT,DS-CPL,CNXT-ID,xTPR
real mem = 2146795520 (2047MB)
avail mem = 2068938752 (1973MB)
mainbus0 at root
bios0 at mainbus0: AT/286+ BIOS, date 09/02/04, BIOS32 rev. 0 @ 0xffe90, SMBIOS
rev. 2.3 @ 0xf9bb0 (87 entries)
bios0: vendor Dell Computer Corporation version "A01" date 09/02/2004
bios0: Dell Computer Corporation PowerEdge 2850
acpi0 at bios0: rev 0
acpi0: tables DSDT FACP APIC SPCR HPET
acpi0: wakeup devices PCI0(S5) PALO(S5) PBLO(S5) VPR0(S5) PBHI(S5) VPR1(S5)
acpitimer0 at acpi0: 3579545 Hz, 24 bits
acpimadt0 at acpi0 addr 0xfee00000: PC-AT compat
cpu0 at mainbus0: apid 0 (boot processor)
cpu0: apic clock running at 199MHz
cpu1 at mainbus0: apid 6 (application processor)
cpu1: Intel(R) Xeon(TM) CPU 3.20GHz ("GenuineIntel" 686-class) 3.20 GHz
cpu1:
FPU,V86,DE,PSE,TSC,MSR,PAE,MCE,CX8,APIC,SEP,MTRR,PGE,MCA,CMOV,PAT,PSE36,CFLUSH,DS,ACPI,MMX,FXSR,SSE,SSE2,SS,HTT,TM,SBF,SSE3,MWAIT,DS-CPL,CNXT-ID,xTPR
cpu2 at mainbus0: apid 1 (application processor)
cpu2: Intel(R) Xeon(TM) CPU 3.20GHz ("GenuineIntel" 686-class) 3.20 GHz
cpu2:
FPU,V86,DE,PSE,TSC,MSR,PAE,MCE,CX8,APIC,SEP,MTRR,PGE,MCA,CMOV,PAT,PSE36,CFLUSH,DS,ACPI,MMX,FXSR,SSE,SSE2,SS,HTT,TM,SBF,SSE3,MWAIT,DS-CPL,CNXT-ID,xTPR
cpu3 at mainbus0: apid 7 (application processor)
cpu3: Intel(R) Xeon(TM) CPU 3.20GHz ("GenuineIntel" 686-class) 3.20 GHz
cpu3:
FPU,V86,DE,PSE,TSC,MSR,PAE,MCE,CX8,APIC,SEP,MTRR,PGE,MCA,CMOV,PAT,PSE36,CFLUSH,DS,ACPI,MMX,FXSR,SSE,SSE2,SS,HTT,TM,SBF,SSE3,MWAIT,DS-CPL,CNXT-ID,xTPR
ioapic0 at mainbus0: apid 8 pa 0xfec00000, version 20, 24 pins
ioapic0: misconfigured as apic 0, remapped to apid 8
ioapic1 at mainbus0: apid 9 pa 0xfec80000, version 20, 24 pins
ioapic1: misconfigured as apic 0, remapped to apid 9
ioapic2 at mainbus0: apid 10 pa 0xfec83000, version 20, 24 pins
ioapic2: misconfigured as apic 0, remapped to apid 10
ioapic3 at mainbus0: apid 11 pa 0xfec84000, version 20, 24 pins
ioapic3: misconfigured as apic 0, remapped to apid 11
acpihpet0 at acpi0: 14318179 Hz
acpiprt0 at acpi0: bus 0 (PCI0)
acpiprt1 at acpi0: bus 1 (PALO)
acpiprt2 at acpi0: bus 2 (DOBA)
acpiprt3 at acpi0: bus 3 (DOBB)
acpiprt4 at acpi0: bus 4 (PBLO)
acpiprt5 at acpi0: bus 5 (PBHI)
acpiprt6 at acpi0: bus 6 (PXB1)
acpiprt7 at acpi0: bus 7 (PXB2)
acpiprt8 at acpi0: bus 8 (VPR1)
acpiprt9 at acpi0: bus 9 (PXC1)
acpiprt10 at acpi0: bus 10 (PXC2)
acpiprt11 at acpi0: bus 11 (PICH)
acpicpu0 at acpi0
acpicpu1 at acpi0
acpicpu2 at acpi0
acpicpu3 at acpi0
bios0: ROM list: 0xc0000/0xb000! 0xcb000/0x1000 0xcc000/0x2200 0xce800/0x1000
0xcf800/0x1000 0xec000/0x4000!
ipmi at mainbus0 not configured
pci0 at mainbus0 bus 0: configuration mode 1 (bios)
pchb0 at pci0 dev 0 function 0 "Intel E7520 Host" rev 0x09
ppb0 at pci0 dev 2 function 0 "Intel E7520 PCIE" rev 0x09
pci1 at ppb0 bus 1
ppb1 at pci1 dev 0 function 0 "Intel IOP332 PCIE-PCIX" rev 0x06
pci2 at ppb1 bus 2
ami0 at pci2 dev 14 function 0 "Dell PERC 4e/Di" rev 0x06: apic 9 int 14 (irq 7)
ami0: Dell 16d, 32b, FW 513O, BIOS vH418, 256MB RAM
ami0: 2 channels, 0 FC loops, 1 logical drives
scsibus0 at ami0: 40 targets
sd0 at scsibus0 targ 0 lun 0: <AMI, Host drive #00, > SCSI2 0/direct fixed
sd0: 699500MB, 512 bytes/sec, 1432576000 sec total
scsibus1 at ami0: 16 targets
safte0 at scsibus1 targ 6 lun 0: <PE/PV, 1x6 SCSI BP, 1.0> SCSI2 3/processor
fixed
scsibus2 at ami0: 16 targets
ppb2 at pci1 dev 0 function 2 "Intel IOP332 PCIE-PCIX" rev 0x06
pci3 at ppb2 bus 3
ppb3 at pci0 dev 4 function 0 "Intel E7520 PCIE" rev 0x09
pci4 at ppb3 bus 4
ppb4 at pci0 dev 5 function 0 "Intel E7520 PCIE" rev 0x09
pci5 at ppb4 bus 5
ppb5 at pci5 dev 0 function 0 "Intel PCIE-PCIE" rev 0x09
pci6 at ppb5 bus 6
em0 at pci6 dev 7 function 0 "Intel PRO/1000MT (82541GI)" rev 0x05: apic 10 int
0 (irq 11), address 00:11:43:37:90:e4
ppb6 at pci5 dev 0 function 2 "Intel PCIE-PCIE" rev 0x09
pci7 at ppb6 bus 7
em1 at pci7 dev 8 function 0 "Intel PRO/1000MT (82541GI)" rev 0x05: apic 10 int
1 (irq 3), address 00:11:43:37:90:e5
ppb7 at pci0 dev 6 function 0 "Intel E7520 PCIE" rev 0x09
pci8 at ppb7 bus 8
ppb8 at pci8 dev 0 function 0 "Intel PCIE-PCIE" rev 0x09
pci9 at ppb8 bus 9
ppb9 at pci8 dev 0 function 2 "Intel PCIE-PCIE" rev 0x09
pci10 at ppb9 bus 10
uhci0 at pci0 dev 29 function 0 "Intel 82801EB/ER USB" rev 0x02: apic 8 int 16
(irq 11)
uhci1 at pci0 dev 29 function 1 "Intel 82801EB/ER USB" rev 0x02: apic 8 int 19
(irq 10)
uhci2 at pci0 dev 29 function 2 "Intel 82801EB/ER USB" rev 0x02: apic 8 int 18
(irq 7)
ehci0 at pci0 dev 29 function 7 "Intel 82801EB/ER USB2" rev 0x02: apic 8 int 23
(irq 5)
usb0 at ehci0: USB revision 2.0
uhub0 at usb0 "Intel EHCI root hub" rev 2.00/1.00 addr 1
ppb10 at pci0 dev 30 function 0 "Intel 82801BA Hub-to-PCI" rev 0xc2
pci11 at ppb10 bus 11
vga1 at pci11 dev 13 function 0 "ATI Radeon VE" rev 0x00
wsdisplay0 at vga1 mux 1: console (80x25, vt100 emulation)
wsdisplay0: screen 1-5 added (80x25, vt100 emulation)
radeondrm0 at vga1: apic 8 int 18 (irq 7)
drm0 at radeondrm0
ichpcib0 at pci0 dev 31 function 0 "Intel 82801EB/ER LPC" rev 0x02
pciide0 at pci0 dev 31 function 1 "Intel 82801EB/ER IDE" rev 0x02: DMA, channel
0 configured to compatibility, channel 1 configured to compatibility
atapiscsi0 at pciide0 channel 0 drive 0
scsibus3 at atapiscsi0: 2 targets
cd0 at scsibus3 targ 0 lun 0: <TEAC, CD-224E, K.9A> ATAPI 5/cdrom removable
cd0(pciide0:0:0): using PIO mode 4, Ultra-DMA mode 2
pciide0: channel 1 disabled (no drives)
usb1 at uhci0: USB revision 1.0
uhub1 at usb1 "Intel UHCI root hub" rev 1.00/1.00 addr 1
usb2 at uhci1: USB revision 1.0
uhub2 at usb2 "Intel UHCI root hub" rev 1.00/1.00 addr 1
usb3 at uhci2: USB revision 1.0
uhub3 at usb3 "Intel UHCI root hub" rev 1.00/1.00 addr 1
isa0 at ichpcib0
isadma0 at isa0
com0 at isa0 port 0x3f8/8 irq 4: ns16550a, 16 byte fifo
pckbc0 at isa0 port 0x60/5
pcppi0 at isa0 port 0x61
midi0 at pcppi0: <PC speaker>
spkr0 at pcppi0
npx0 at isa0 port 0xf0/16: reported by CPUID; using exception 16
fdc0 at isa0 port 0x3f0/6 irq 6 drq 2
fd0 at fdc0 drive 0: 1.44MB 80 cyl, 2 head, 18 sec
mtrr: Pentium Pro MTRR support
uhub4 at uhub0 port 3 "Dell product 0xa001" rev 2.00/0.00 addr 2
vscsi0 at root
scsibus4 at vscsi0: 256 targets
softraid0 at root
root on sd0a swap on sd0b dump on sd0b
WARNING: / was not properly unmounted
>Release-Note:
>Audit-Trail:
>Unformatted:
