I have stumbled upon a local DoS (non-kernel) while writing a VoIP app for FreeBSD. The DoS exists when two ioctl calls (or less/more?) are followed by a malloc call to malloc a pointer in global scope which is then followed by two more (or less/more?) ioctl calls. The result is a stack smash, and upon return of the function, the program segfaults.
gdb output of the core dump: Core was generated by `a.out'. Program terminated with signal 11, Segmentation fault. Reading symbols from /lib/libc.so.5...(no debugging symbols found)...done. Loaded symbols for /lib/libc.so.5 Reading symbols from /libexec/ld-elf.so.1...(no debugging symbols found)...done. Loaded symbols for /libexec/ld-elf.so.1 #0 0x00000080 in ?? () I am curently running: FreeBSD 5.3-BETA7 FreeBSD 5.3-BETA7 #2: Sun Oct 10 21:05:53 MDT 2004 shawn@:/usr/obj/usr/src/sys/LATERALUS i386 I have confirmed the same results on multiple FreeBSD machines, each different versions spanning 4.10-RELEASE to 5.2.1-RELEASE (and my 5.3-BETA7 machine). Shawn Webb http://retoros.org:81/ (attached is the source code to the segfaulting application)
_______________________________________________ [EMAIL PROTECTED] mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-hackers To unsubscribe, send any mail to "[EMAIL PROTECTED]"
