kern/49676: ICMP_STATINC() buffer overflows

To: kern-bug-people%netbsd.org@localhost,gnats-admin%netbsd.org@localhost,netbsd-bugs%netbsd.org@localhost
Subject: kern/49676: ICMP_STATINC() buffer overflows
From: ryo%nerv.org@localhost
Date: Wed, 18 Feb 2015 12:45:00 +0000 (UTC)

>Number:         49676
>Category:       kern
>Synopsis:       ICMP_STATINC() buffer overflows
>Confidential:   no
>Severity:       serious
>Priority:       high
>Responsible:    kern-bug-people
>State:          open
>Class:          sw-bug
>Submitter-Id:   net
>Arrival-Date:   Wed Feb 18 12:45:00 +0000 2015
>Originator:     Ryo Shimizu
>Release:        NetBSD 7.99.5
>Organization:
>Environment:
System: NetBSD cubox 7.99.5 NetBSD 7.99.5 (CUBOX-I) #12: Wed Feb 18 21:35:18 JST 2015 ryo@phenomena:/src/cvs/NetBSD/sys/arch/evbarm/compile/CUBOX-I evbarm
Architecture: earmhf
Machine: evbarm
>Description:
ICMP_STATINC(ICMP_STAT_INHIST + icp->icmp_type) in icmp_input(), and
ICMP_STATINC(ICMP_STAT_OUTHIST + type) in icmp_error() have buffer overflows.

in netinet/icmp_var.h, ICMP_STAT_OUTHIST and ICMP_STAT_INHIST are not enough size.
#define	ICMP_STAT_LAST		16	/* Allow for 5 spare ones */
#define	ICMP_STAT_OUTHIST	ICMP_STAT_LAST
#define	ICMP_STAT_INHIST	(ICMP_STAT_LAST + ICMP_MAXTYPE)
#define	ICMP_NSTATS		(ICMP_STAT_LAST + 2 * ICMP_MAXTYPE)

ICMP_MAXTYPE is 40 defined in netinet/ip_icmp.h,
therefore size of ICMP_STAT_{IN,OUT}HIST must be 41. (ICMP_MAXTYPE + 1)

>How-To-Repeat:

# netstat -s | grep -3 photuris
        0 multicast echo requests ignored
        0 multicast timestamp requests ignored
        Input histogram:
                photuris: 4625654489024812944
        0 message responses generated
        0 path MTU changes
igmp:

photuris is abnormal value.

>Fix:

Index: icmp_var.h
===================================================================
RCS file: /cvsroot/src/sys/netinet/icmp_var.h,v
retrieving revision 1.29
diff -a -u -r1.29 icmp_var.h
--- icmp_var.h	24 Dec 2011 19:54:41 -0000	1.29
+++ icmp_var.h	17 Feb 2015 08:16:40 -0000
@@ -56,8 +56,8 @@
 #define	ICMP_STAT_BMCASTTSTAMP	10	/* b/mcast tstamp requests dropped */
 #define	ICMP_STAT_LAST		16	/* Allow for 5 spare ones */
 #define	ICMP_STAT_OUTHIST	ICMP_STAT_LAST
-#define	ICMP_STAT_INHIST	(ICMP_STAT_LAST + ICMP_MAXTYPE)
-#define	ICMP_NSTATS		(ICMP_STAT_LAST + 2 * ICMP_MAXTYPE)
+#define	ICMP_STAT_INHIST	(ICMP_STAT_LAST + ICMP_MAXTYPE + 1)
+#define	ICMP_NSTATS		(ICMP_STAT_LAST + 2 * (ICMP_MAXTYPE + 1))
 
 /*
  * Names for ICMP sysctl objects

Prev by Date: Re: port-sh3/49613 (errno does not set by some systemcall at error case)
Next by Date: PR/49676 CVS commit: src/sys/netinet
Previous by Thread: misc/49674: Failed test case: lib/librumphijack/t_tcpip:http
Next by Thread: PR/49676 CVS commit: src/sys/netinet
Indexes:

Home | Main Index | Thread Index | Old Index