Project

General

Profile

Bug #7654

buffer overflow in route's static implementation of link_ntoa

Added by Matt Barden over 3 years ago.

Status:
New
Priority:
Low
Assignee:
-
Category:
-
Start date:
2016-12-07
Due date:
% Done:

0%

Estimated time:
Difficulty:
Medium
Tags:
needs-triage
Gerrit CR:

Description

route(1M) uses BSD's implementation of link_ntoa, which is vulnerable to a buffer overflow. However, route's implementation is statically defined, and it only parses input originating from the kernel via PF_ROUTE messages, so it's not particularly exploitable.

The BSD vulnerability: https://www.kb.cert.org/vuls/id/548487
the BSD function: https://github.com/freebsd/freebsd/blob/386ddae58459341ec567604707805814a2128a57/lib/libc/net/linkaddr.c#L132
our version: http://src.illumos.org/source/xref/illumos-gate/usr/src/cmd/cmd-inet/usr.sbin/route.c#3022
BSD's fix: https://github.com/freebsd/freebsd/commit/e7aed7dacb18c4f4b4568ec011a236861495a1c4

Also available in: Atom PDF