Hi,
I am the maintainer of the qmail FreeBSD port.
I received the following patch request.
I was wondering, the code seems okay to me.
However, depending on the local implementation of ioctl his
allegations pose a window of opportunity.
Suggestions? Mr. Bernstein?
Regards,
Mario Ferreira
ps: please, don't flame me. This is a sincere doubt.
pss: please, cc: lioux at linf.unb.br for I am not subscribed to this list right now.
----- Begin forwarded message -----
Hi,
Can you add the following as patch-ad in the qmail port? In the following
snippet of code, ifc.ifc_len can be larger than 256 when certain
point-to-point links or IPv6 is enabled. This causes a buffer overflow in
the ioctl call. Upping the buffer size to 1024 takes care of the problem.
barry
for (;;) {
if (!stralloc_ready(&buf,len)) { close(s); return 0; }
buf.len = 0;
ifc.ifc_buf = buf.s;
ifc.ifc_len = len;
if (ioctl(s,SIOCGIFCONF,&ifc) >= 0) /* > is for System V */
if (ifc.ifc_len + sizeof(*ifr) + 64 < len) { /* what a stupid interface */
buf.len = ifc.ifc_len;
break;
}
if (len > 200000) { close(s); return -1; }
len += 100 + (len >> 2);
}
======= patch-ad ============
--- ipme.c.~1~ Mon Jun 15 06:53:16 1998
+++ ipme.c Sat Nov 20 18:21:26 1999
@@ -48,7 +48,7 @@
if ((s = socket(AF_INET,SOCK_STREAM,0)) == -1) return -1;
- len = 256;
+ len = 1024;
for (;;) {
if (!stralloc_ready(&buf,len)) { close(s); return 0; }
buf.len = 0;
----- End forwarded message -----
