Prevent integer overflow in direct pipe write code from circumventing
virtual-to-physical page lookups. [09:09] Add missing permissions check for SIOCSIFINFO_IN6 ioctl. [09:10] Fix buffer overflow in "autokey" negotiation in ntpd(8). [09:11] Approved by: so (cperciva) Approved by: re (not really, but SVN wants this...) Security: FreeBSD-SA-09:09.pipe Security: FreeBSD-SA-09:10.ipv6 Security: FreeBSD-SA-09:11.ntpd
This commit is contained in:
parent
4cc0c5560a
commit
632fa45574
@ -570,7 +570,7 @@ crypto_recv(
|
||||
peer->issuer = emalloc(vallen + 1);
|
||||
strcpy(peer->issuer, peer->subject);
|
||||
temp32 = (fstamp >> 16) & 0xffff;
|
||||
sprintf(statstr,
|
||||
snprintf(statstr, NTP_MAXSTRLEN,
|
||||
"flags 0x%x host %s signature %s", fstamp,
|
||||
peer->subject, OBJ_nid2ln(temp32));
|
||||
record_crypto_stats(&peer->srcadr, statstr);
|
||||
@ -636,7 +636,8 @@ crypto_recv(
|
||||
}
|
||||
peer->flash &= ~TEST8;
|
||||
temp32 = cinfo->nid;
|
||||
sprintf(statstr, "cert %s 0x%x %s (%u) fs %u",
|
||||
snprintf(statstr, NTP_MAXSTRLEN,
|
||||
"cert %s 0x%x %s (%u) fs %u",
|
||||
cinfo->subject, cinfo->flags,
|
||||
OBJ_nid2ln(temp32), temp32,
|
||||
ntohl(ep->fstamp));
|
||||
@ -685,7 +686,7 @@ crypto_recv(
|
||||
peer->crypto |= CRYPTO_FLAG_VRFY |
|
||||
CRYPTO_FLAG_PROV;
|
||||
peer->flash &= ~TEST8;
|
||||
sprintf(statstr, "iff fs %u",
|
||||
snprintf(statstr, NTP_MAXSTRLEN, "iff fs %u",
|
||||
ntohl(ep->fstamp));
|
||||
record_crypto_stats(&peer->srcadr, statstr);
|
||||
#ifdef DEBUG
|
||||
@ -733,7 +734,7 @@ crypto_recv(
|
||||
peer->crypto |= CRYPTO_FLAG_VRFY |
|
||||
CRYPTO_FLAG_PROV;
|
||||
peer->flash &= ~TEST8;
|
||||
sprintf(statstr, "gq fs %u",
|
||||
snprintf(statstr, NTP_MAXSTRLEN, "gq fs %u",
|
||||
ntohl(ep->fstamp));
|
||||
record_crypto_stats(&peer->srcadr, statstr);
|
||||
#ifdef DEBUG
|
||||
@ -774,7 +775,7 @@ crypto_recv(
|
||||
peer->crypto |= CRYPTO_FLAG_VRFY |
|
||||
CRYPTO_FLAG_PROV;
|
||||
peer->flash &= ~TEST8;
|
||||
sprintf(statstr, "mv fs %u",
|
||||
snprintf(statstr, NTP_MAXSTRLEN, "mv fs %u",
|
||||
ntohl(ep->fstamp));
|
||||
record_crypto_stats(&peer->srcadr, statstr);
|
||||
#ifdef DEBUG
|
||||
@ -828,7 +829,7 @@ crypto_recv(
|
||||
peer->crypto &= ~CRYPTO_FLAG_AUTO;
|
||||
peer->crypto |= CRYPTO_FLAG_AGREE;
|
||||
peer->flash &= ~TEST8;
|
||||
sprintf(statstr, "cook %x ts %u fs %u",
|
||||
snprintf(statstr, NTP_MAXSTRLEN, "cook %x ts %u fs %u",
|
||||
peer->pcookie, ntohl(ep->tstamp),
|
||||
ntohl(ep->fstamp));
|
||||
record_crypto_stats(&peer->srcadr, statstr);
|
||||
@ -893,7 +894,7 @@ crypto_recv(
|
||||
peer->crypto &= ~CRYPTO_FLAG_AUTO;
|
||||
peer->crypto |= CRYPTO_FLAG_AGREE;
|
||||
peer->flash &= ~TEST8;
|
||||
sprintf(statstr, "cook %x ts %u fs %u",
|
||||
snprintf(statstr, NTP_MAXSTRLEN, "cook %x ts %u fs %u",
|
||||
peer->pcookie, ntohl(ep->tstamp),
|
||||
ntohl(ep->fstamp));
|
||||
record_crypto_stats(&peer->srcadr, statstr);
|
||||
@ -944,7 +945,7 @@ crypto_recv(
|
||||
peer->pkeyid = bp->key;
|
||||
peer->crypto |= CRYPTO_FLAG_AUTO;
|
||||
peer->flash &= ~TEST8;
|
||||
sprintf(statstr,
|
||||
snprintf(statstr, NTP_MAXSTRLEN,
|
||||
"auto seq %d key %x ts %u fs %u", bp->seq,
|
||||
bp->key, ntohl(ep->tstamp),
|
||||
ntohl(ep->fstamp));
|
||||
@ -987,7 +988,8 @@ crypto_recv(
|
||||
peer->crypto |= CRYPTO_FLAG_SIGN;
|
||||
peer->flash &= ~TEST8;
|
||||
temp32 = cinfo->nid;
|
||||
sprintf(statstr, "sign %s 0x%x %s (%u) fs %u",
|
||||
snprintf(statstr, NTP_MAXSTRLEN,
|
||||
"sign %s 0x%x %s (%u) fs %u",
|
||||
cinfo->issuer, cinfo->flags,
|
||||
OBJ_nid2ln(temp32), temp32,
|
||||
ntohl(ep->fstamp));
|
||||
@ -1071,7 +1073,8 @@ crypto_recv(
|
||||
crypto_flags |= CRYPTO_FLAG_TAI;
|
||||
peer->crypto |= CRYPTO_FLAG_LEAP;
|
||||
peer->flash &= ~TEST8;
|
||||
sprintf(statstr, "leap %u ts %u fs %u", vallen,
|
||||
snprintf(statstr, NTP_MAXSTRLEN,
|
||||
"leap %u ts %u fs %u", vallen,
|
||||
ntohl(ep->tstamp), ntohl(ep->fstamp));
|
||||
record_crypto_stats(&peer->srcadr, statstr);
|
||||
#ifdef DEBUG
|
||||
@ -1127,7 +1130,7 @@ crypto_recv(
|
||||
* cheerfully ignored, as the message is not sent.
|
||||
*/
|
||||
if (rval > XEVNT_TSP) {
|
||||
sprintf(statstr,
|
||||
snprintf(statstr, NTP_MAXSTRLEN,
|
||||
"error %x opcode %x ts %u fs %u", rval,
|
||||
code, tstamp, fstamp);
|
||||
record_crypto_stats(&peer->srcadr, statstr);
|
||||
@ -1453,7 +1456,8 @@ crypto_xmit(
|
||||
*/
|
||||
if (rval != XEVNT_OK) {
|
||||
opcode |= CRYPTO_ERROR;
|
||||
sprintf(statstr, "error %x opcode %x", rval, opcode);
|
||||
snprintf(statstr, NTP_MAXSTRLEN,
|
||||
"error %x opcode %x", rval, opcode);
|
||||
record_crypto_stats(srcadr_sin, statstr);
|
||||
report_event(rval, NULL);
|
||||
#ifdef DEBUG
|
||||
@ -1952,7 +1956,8 @@ crypto_update(void)
|
||||
if (EVP_SignFinal(&ctx, tai_leap.sig, &len, sign_pkey))
|
||||
tai_leap.siglen = htonl(len);
|
||||
}
|
||||
sprintf(statstr, "update ts %u", ntohl(hostval.tstamp));
|
||||
snprintf(statstr, NTP_MAXSTRLEN,
|
||||
"update ts %u", ntohl(hostval.tstamp));
|
||||
record_crypto_stats(NULL, statstr);
|
||||
#ifdef DEBUG
|
||||
if (debug)
|
||||
@ -3606,7 +3611,7 @@ crypto_key(
|
||||
*/
|
||||
if ((ptr = strrchr(linkname, '\n')) != NULL)
|
||||
*ptr = '\0';
|
||||
sprintf(statstr, "%s mod %d", &linkname[2],
|
||||
snprintf(statstr, NTP_MAXSTRLEN, "%s mod %d", &linkname[2],
|
||||
EVP_PKEY_size(pkey) * 8);
|
||||
record_crypto_stats(NULL, statstr);
|
||||
#ifdef DEBUG
|
||||
@ -3715,8 +3720,8 @@ crypto_cert(
|
||||
|
||||
if ((ptr = strrchr(linkname, '\n')) != NULL)
|
||||
*ptr = '\0';
|
||||
sprintf(statstr, "%s 0x%x len %lu", &linkname[2], ret->flags,
|
||||
len);
|
||||
snprintf(statstr, NTP_MAXSTRLEN,
|
||||
"%s 0x%x len %lu", &linkname[2], ret->flags, len);
|
||||
record_crypto_stats(NULL, statstr);
|
||||
#ifdef DEBUG
|
||||
if (debug)
|
||||
@ -3832,7 +3837,7 @@ crypto_tai(
|
||||
for (j = 0; j < i; j++)
|
||||
*ptr++ = htonl(leapsec[j]);
|
||||
crypto_flags |= CRYPTO_FLAG_TAI;
|
||||
sprintf(statstr, "%s fs %u leap %u len %u", cp, fstamp,
|
||||
snprintf(statstr, NTP_MAXSTRLEN, "%s fs %u leap %u len %u", cp, fstamp,
|
||||
leapsec[--j], len);
|
||||
record_crypto_stats(NULL, statstr);
|
||||
#ifdef DEBUG
|
||||
|
@ -759,6 +759,8 @@ pipe_build_write_buffer(wpipe, uio)
|
||||
pmap = vmspace_pmap(curproc->p_vmspace);
|
||||
endaddr = round_page((vm_offset_t)uio->uio_iov->iov_base + size);
|
||||
addr = trunc_page((vm_offset_t)uio->uio_iov->iov_base);
|
||||
if (endaddr < addr)
|
||||
return (EFAULT);
|
||||
for (i = 0; addr < endaddr; addr += PAGE_SIZE, i++) {
|
||||
/*
|
||||
* vm_fault_quick() can sleep. Consequently,
|
||||
|
@ -214,6 +214,7 @@ in6_control(struct socket *so, u_long cmd, caddr_t data,
|
||||
case SIOCSRTRFLUSH_IN6:
|
||||
case SIOCSDEFIFACE_IN6:
|
||||
case SIOCSIFINFO_FLAGS:
|
||||
case SIOCSIFINFO_IN6:
|
||||
if (td != NULL) {
|
||||
error = priv_check(td, PRIV_NETINET_ND6);
|
||||
if (error)
|
||||
@ -222,7 +223,6 @@ in6_control(struct socket *so, u_long cmd, caddr_t data,
|
||||
/* FALLTHROUGH */
|
||||
case OSIOCGIFINFO_IN6:
|
||||
case SIOCGIFINFO_IN6:
|
||||
case SIOCSIFINFO_IN6:
|
||||
case SIOCGDRLST_IN6:
|
||||
case SIOCGPRLST_IN6:
|
||||
case SIOCGNBRINFO_IN6:
|
||||
|
Loading…
Reference in New Issue
Block a user