[DragonFlyBSD - Bug #3012] (Closed) sys/net/libalias, usr.sbin/cdcontrol and usr.sbin/ppp

bugtracker-admin at leaf.dragonflybsd.org bugtracker-admin at leaf.dragonflybsd.org
Mon Apr 10 22:31:26 PDT 2017


Issue #3012 has been updated by dillon.

Status changed from New to Closed

Fix some minor issues.  The overflows in cdcontrol.c and ppp/link.c do not appear to be exploitable (and the programs are hardly ever used by anyone).

Fix committed by Matt

----------------------------------------
Bug #3012: sys/net/libalias, usr.sbin/cdcontrol and usr.sbin/ppp
http://bugs.dragonflybsd.org/issues/3012#change-13125

* Author: dcb
* Status: Closed
* Priority: Normal
* Assignee: 
* Category: 
* Target version: 
----------------------------------------
1.

dragonfly/sys/net/libalias/alias_irc.c:98] -> [dragonfly/sys/net/libalias/alias_irc.c:98]: (style) Same expression on both sides of '||'.

Source code is

    if (ah->dport == NULL || ah->dport == NULL || ah->lnk == NULL ||
        ah->maxpktsize == 0)

Possible missing mention of sport ?

2.

usr.sbin/cdcontrol/cdcontrol.c:1176: (error) Array 'buf[80]' accessed at index 80, which is out of bounds.

     buf[len] = 0;

Maybe better code

     buf[len - 1] = 0;

3.

usr.sbin/ppp/link.c:199]: (error) Array 'l.proto_in[13]' accessed at index 13, which is out of bounds.

Source code is

  for (i = 0; i < NPROTOSTAT; i++)
    if (ProtocolStat[i].number == proto)
      break;

  if (type == PROTO_IN)
    l->proto_in[i]++;

There doesn't seem to be any code here to deal with the case that 
i is out of range, because we don't find what we are looking for.





-- 
You have received this notification because you have either subscribed to it, or are involved in it.
To change your notification preferences, please click here: http://bugs.dragonflybsd.org/my/account


More information about the Bugs mailing list