From what I can tell getsockaddr() (kern/uipc_syscalls.c) is called
with a user-supplied length as its argument. It checks for
len > SOCK_MAXADDRLEN, but it does not check to see if the length is
too small and it may MALLOC() a structure, 'sa', which is too small
for the assignment or assignments it then proceeds to do. e.g.
'sa->sa_len = len'. This could potentially assign a field that is
beyond the malloc'd region.
In particular, if you create a UNIX domain socket and bind(...) a
0-length structure, the malloc function will be called
with a length of 0 and sa->sa_len will be assigned to the resulting
memory.
Now, due to the the way the allocator works there might be a minimum
allocation anyway (there is in the old malloc, but I am not sure about
the slab allocator), so this may or may not be a security issue, but it
definitely looks like a rather serious API violation.
If I understand sockaddr's properly, the minimum size is going to be
offsetof(struct sockaddr, sa_data[0]), which is 2 bytes. A check
for this minimum should probably be added to getsockaddr().
-Matt
Matthew Dillon
<[EMAIL PROTECTED]>
_______________________________________________
[EMAIL PROTECTED] mailing list
http://lists.freebsd.org/mailman/listinfo/freebsd-hackers
To unsubscribe, send any mail to "[EMAIL PROTECTED]"
