SVNews r330505

NOTE: This service is experimental and subject to change! Use at your own risk!

2018-03-05 13:58:03 - r330505 by dab (dab)

Complete list of files affected by revision r330505:

(Note: At the moment, these links point to ViewVC on They are probably slow. Do not overuse.)

   Contents     MODIFY   /stable/11  
  History   Contents   Diff   MODIFY   /stable/11/sys/libkern/iconv.c  

Commit message:

MFC r330027

iconv uses strlen directly on user supplied memory

`iconv_sysctl_add` from `sys/libkern/iconv.c` incorrectly limits the
size of user strings, such that several out of bounds reads could have
been possible.

static int
  struct iconv_converter_class *dcp;
  struct iconv_cspair *csp;
  struct iconv_add_in din;
  struct iconv_add_out dout;
  int error;

  error = SYSCTL_IN(req, &din, sizeof(din));
  if (error)
  return error;
  if (din.ia_version != ICONV_ADD_VER)
  return EINVAL;
  if (din.ia_datalen > ICONV_CSMAXDATALEN)
  return EINVAL;
  if (strlen(din.ia_from) >= ICONV_CSNMAXLEN)
  return EINVAL;
  if (strlen(din.ia_to) >= ICONV_CSNMAXLEN)
  return EINVAL;
  if (strlen(din.ia_converter) >= ICONV_CNVNMAXLEN)
  return EINVAL;

Since the `din` struct is directly copied from userland, there is no
guarantee that the strings supplied will be NULL terminated. The
`strlen` calls could continue reading past the designated buffer

Declaration of `struct iconv_add_in` is found in `sys/sys/iconv.h`:

struct iconv_add_in {
  int ia_version;
  char ia_converter[ICONV_CNVNMAXLEN];
  char ia_to[ICONV_CSNMAXLEN];
  char ia_from[ICONV_CSNMAXLEN];
  int ia_datalen;
  const void *ia_data;

Our strings are followed by the `ia_datalen` member, which is checked
before the `strlen` calls:

if (din.ia_datalen > ICONV_CSMAXDATALEN)

Since `ICONV_CSMAXDATALEN` has value `0x41000` (and is `unsigned`),
this ensures that `din.ia_datalen` contains at least 1 byte of 0, so
it is not possible to trigger a read out of bounds of the `struct`
however, this code is fragile and could introduce subtle bugs in the
future if the `struct` is ever modified.

PR: 207302
Submitted by: CTurt <>
Reported by: CTurt <>
Sponsored by: Dell EMC


Powered by Python FreeBSD support by secnetix GmbH & Co. KG

Page generated in 6 ms, 2 files printed. Current time is 2018-03-22 11:29:21. All times are in UTC/GMT.