Page MenuHomeFreeBSD

dummynet: Avoid an out-of-bounds read in do_config()
ClosedPublic

Authored by markj on Nov 26 2021, 4:01 PM.
Tags
None
Referenced Files
F133019654: D33132.id99170.diff
Wed, Oct 22, 3:24 AM
Unknown Object (File)
Wed, Oct 15, 8:44 AM
Unknown Object (File)
Tue, Oct 14, 4:08 AM
Unknown Object (File)
Tue, Oct 14, 4:08 AM
Unknown Object (File)
Tue, Oct 14, 4:08 AM
Unknown Object (File)
Mon, Oct 13, 2:45 PM
Unknown Object (File)
Sat, Oct 11, 8:03 AM
Unknown Object (File)
Sep 20 2025, 6:19 AM

Details

Summary

do_config() processes a buffer of variable-length dummynet commands.
The loop which processes this buffer loads the fixed-length header
before checking whether there are any bytes left to read, so it performs
a 4-byte read past the end of the buffer before terminating.

Restructure the loop to avoid this.

Reported by: Jenkins (KASAN job)
MFC after: 1 week
Sponsored by: The FreeBSD Foundation

Diff Detail

Repository
rG FreeBSD src repository
Lint
Lint Not Applicable
Unit
Tests Not Applicable