NetBSD Problem Report #49676
From ryo@nerv.org Wed Feb 18 12:42:44 2015
Return-Path: <ryo@nerv.org>
Received: from mail.netbsd.org (mail.netbsd.org [149.20.53.66])
(using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits))
(Client CN "mail.netbsd.org", Issuer "Postmaster NetBSD.org" (not verified))
by mollari.NetBSD.org (Postfix) with ESMTPS id 73C2EA5B2E
for <gnats-bugs@gnats.NetBSD.org>; Wed, 18 Feb 2015 12:42:44 +0000 (UTC)
Message-Id: <20150218124240.254871CC0B4@yaml.nerv.org>
Date: Wed, 18 Feb 2015 21:42:40 +0900 (JST)
From: ryo@nerv.org
Reply-To: ryo@nerv.org
To: gnats-bugs@NetBSD.org
Subject: ICMP_STATINC() buffer overflows
X-Send-Pr-Version: 3.95
>Number: 49676
>Category: kern
>Synopsis: ICMP_STATINC() buffer overflows
>Confidential: no
>Severity: serious
>Priority: high
>Responsible: kern-bug-people
>State: closed
>Class: sw-bug
>Submitter-Id: net
>Arrival-Date: Wed Feb 18 12:45:00 +0000 2015
>Closed-Date: Mon Feb 15 11:07:47 +0000 2016
>Last-Modified: Mon Feb 15 11:07:47 +0000 2016
>Originator: Ryo Shimizu
>Release: NetBSD 7.99.5
>Organization:
>Environment:
System: NetBSD cubox 7.99.5 NetBSD 7.99.5 (CUBOX-I) #12: Wed Feb 18 21:35:18 JST 2015 ryo@phenomena:/src/cvs/NetBSD/sys/arch/evbarm/compile/CUBOX-I evbarm
Architecture: earmhf
Machine: evbarm
>Description:
ICMP_STATINC(ICMP_STAT_INHIST + icp->icmp_type) in icmp_input(), and
ICMP_STATINC(ICMP_STAT_OUTHIST + type) in icmp_error() have buffer overflows.
in netinet/icmp_var.h, ICMP_STAT_OUTHIST and ICMP_STAT_INHIST are not enough size.
#define ICMP_STAT_LAST 16 /* Allow for 5 spare ones */
#define ICMP_STAT_OUTHIST ICMP_STAT_LAST
#define ICMP_STAT_INHIST (ICMP_STAT_LAST + ICMP_MAXTYPE)
#define ICMP_NSTATS (ICMP_STAT_LAST + 2 * ICMP_MAXTYPE)
ICMP_MAXTYPE is 40 defined in netinet/ip_icmp.h,
therefore size of ICMP_STAT_{IN,OUT}HIST must be 41. (ICMP_MAXTYPE + 1)
>How-To-Repeat:
# netstat -s | grep -3 photuris
0 multicast echo requests ignored
0 multicast timestamp requests ignored
Input histogram:
photuris: 4625654489024812944
0 message responses generated
0 path MTU changes
igmp:
photuris is abnormal value.
>Fix:
Index: icmp_var.h
===================================================================
RCS file: /cvsroot/src/sys/netinet/icmp_var.h,v
retrieving revision 1.29
diff -a -u -r1.29 icmp_var.h
--- icmp_var.h 24 Dec 2011 19:54:41 -0000 1.29
+++ icmp_var.h 17 Feb 2015 08:16:40 -0000
@@ -56,8 +56,8 @@
#define ICMP_STAT_BMCASTTSTAMP 10 /* b/mcast tstamp requests dropped */
#define ICMP_STAT_LAST 16 /* Allow for 5 spare ones */
#define ICMP_STAT_OUTHIST ICMP_STAT_LAST
-#define ICMP_STAT_INHIST (ICMP_STAT_LAST + ICMP_MAXTYPE)
-#define ICMP_NSTATS (ICMP_STAT_LAST + 2 * ICMP_MAXTYPE)
+#define ICMP_STAT_INHIST (ICMP_STAT_LAST + ICMP_MAXTYPE + 1)
+#define ICMP_NSTATS (ICMP_STAT_LAST + 2 * (ICMP_MAXTYPE + 1))
/*
* Names for ICMP sysctl objects
>Release-Note:
>Audit-Trail:
From: "Christos Zoulas" <christos@netbsd.org>
To: gnats-bugs@gnats.NetBSD.org
Cc:
Subject: PR/49676 CVS commit: src/sys/netinet
Date: Wed, 18 Feb 2015 12:00:16 -0500
Module Name: src
Committed By: christos
Date: Wed Feb 18 17:00:16 UTC 2015
Modified Files:
src/sys/netinet: icmp_var.h ip_icmp.h
Log Message:
PR/49676: Ryo Shimizu: ICMP_STATINC() buffer overflows
XXX: pullup-7
To generate a diff of this commit:
cvs rdiff -u -r1.29 -r1.30 src/sys/netinet/icmp_var.h
cvs rdiff -u -r1.33 -r1.34 src/sys/netinet/ip_icmp.h
Please note that diffs are not public domain; they are subject to the
copyright notices on the relevant files.
From: "Martin Husemann" <martin@netbsd.org>
To: gnats-bugs@gnats.NetBSD.org
Cc:
Subject: PR/49676 CVS commit: [netbsd-6] src/sys/netinet
Date: Sat, 21 Feb 2015 13:01:31 +0000
Module Name: src
Committed By: martin
Date: Sat Feb 21 13:01:31 UTC 2015
Modified Files:
src/sys/netinet [netbsd-6]: icmp_var.h ip_icmp.h
Log Message:
Pull up following revision(s) (requested by christos in ticket #1258):
sys/netinet/icmp_var.h: revision 1.30
sys/netinet/ip_icmp.h: revision 1.34
PR/49676: Ryo Shimizu: ICMP_STATINC() buffer overflows
To generate a diff of this commit:
cvs rdiff -u -r1.29 -r1.29.2.1 src/sys/netinet/icmp_var.h
cvs rdiff -u -r1.33 -r1.33.2.1 src/sys/netinet/ip_icmp.h
Please note that diffs are not public domain; they are subject to the
copyright notices on the relevant files.
From: "Martin Husemann" <martin@netbsd.org>
To: gnats-bugs@gnats.NetBSD.org
Cc:
Subject: PR/49676 CVS commit: [netbsd-6-1] src/sys/netinet
Date: Sat, 21 Feb 2015 13:05:38 +0000
Module Name: src
Committed By: martin
Date: Sat Feb 21 13:05:38 UTC 2015
Modified Files:
src/sys/netinet [netbsd-6-1]: icmp_var.h ip_icmp.h
Log Message:
Pull up following revision(s) (requested by christos in ticket #1258):
sys/netinet/icmp_var.h: revision 1.30
sys/netinet/ip_icmp.h: revision 1.34
PR/49676: Ryo Shimizu: ICMP_STATINC() buffer overflows
To generate a diff of this commit:
cvs rdiff -u -r1.29 -r1.29.16.1 src/sys/netinet/icmp_var.h
cvs rdiff -u -r1.33 -r1.33.16.1 src/sys/netinet/ip_icmp.h
Please note that diffs are not public domain; they are subject to the
copyright notices on the relevant files.
From: "Martin Husemann" <martin@netbsd.org>
To: gnats-bugs@gnats.NetBSD.org
Cc:
Subject: PR/49676 CVS commit: [netbsd-6-0] src/sys/netinet
Date: Sat, 21 Feb 2015 13:06:35 +0000
Module Name: src
Committed By: martin
Date: Sat Feb 21 13:06:35 UTC 2015
Modified Files:
src/sys/netinet [netbsd-6-0]: icmp_var.h ip_icmp.h
Log Message:
Pull up following revision(s) (requested by christos in ticket #1258):
sys/netinet/icmp_var.h: revision 1.30
sys/netinet/ip_icmp.h: revision 1.34
PR/49676: Ryo Shimizu: ICMP_STATINC() buffer overflows
To generate a diff of this commit:
cvs rdiff -u -r1.29 -r1.29.8.1 src/sys/netinet/icmp_var.h
cvs rdiff -u -r1.33 -r1.33.8.1 src/sys/netinet/ip_icmp.h
Please note that diffs are not public domain; they are subject to the
copyright notices on the relevant files.
From: "Martin Husemann" <martin@netbsd.org>
To: gnats-bugs@gnats.NetBSD.org
Cc:
Subject: PR/49676 CVS commit: [netbsd-7] src/sys/netinet
Date: Sat, 21 Feb 2015 18:24:51 +0000
Module Name: src
Committed By: martin
Date: Sat Feb 21 18:24:51 UTC 2015
Modified Files:
src/sys/netinet [netbsd-7]: icmp_var.h ip_icmp.h
Log Message:
Pull up following revision(s) (requested by christos in ticket #537):
sys/netinet/icmp_var.h: revision 1.30
sys/netinet/ip_icmp.h: revision 1.34
PR/49676: Ryo Shimizu: ICMP_STATINC() buffer overflows
XXX: pullup-7
To generate a diff of this commit:
cvs rdiff -u -r1.29 -r1.29.22.1 src/sys/netinet/icmp_var.h
cvs rdiff -u -r1.33 -r1.33.22.1 src/sys/netinet/ip_icmp.h
Please note that diffs are not public domain; they are subject to the
copyright notices on the relevant files.
State-Changed-From-To: open->closed
State-Changed-By: dholland@NetBSD.org
State-Changed-When: Mon, 15 Feb 2016 11:07:47 +0000
State-Changed-Why:
fixed and pulled up a year ago
>Unformatted:
(Contact us)
$NetBSD: query-full-pr,v 1.39 2013/11/01 18:47:49 spz Exp $
$NetBSD: gnats_config.sh,v 1.8 2006/05/07 09:23:38 tsutsui Exp $
Copyright © 1994-2014
The NetBSD Foundation, Inc. ALL RIGHTS RESERVED.
Home