[Mono-bugs] [Bug 27691][Maj] New - Possible buffer overflow in runtime io-layer/handles.c (occurs with FreeBSD 4.5)

bugzilla-daemon@rocky.ximian.com bugzilla-daemon@rocky.ximian.com
12 Jul 2002 01:36:31 -0000

Previous message: [Mono-bugs] [Bug 26904][Nor] Changed - -L directive doesn't override system path
Next message: [Mono-bugs] [Bug 27691][Maj] Changed - Possible buffer overflow in runtime io-layer/handles.c (occurs with FreeBSD 4.5)
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

Please do not reply to this email- if you want to comment on the bug, go to the
URL shown below and enter your comments there.

Changed by logic@phayze.com.

http://bugzilla.ximian.com/show_bug.cgi?id=27691

--- shadow/27691	Thu Jul 11 21:36:31 2002
+++ shadow/27691.tmp.4417	Thu Jul 11 21:36:31 2002
@@ -0,0 +1,50 @@
+Bug#: 27691
+Product: Mono/Runtime
+Version: unspecified
+OS: other
+OS Details: FreeBSD 4.5
+Status: NEW   
+Resolution: 
+Severity: 008 One day
+Priority: Major
+Component: misc
+AssignedTo: mono-bugs@ximian.com                            
+ReportedBy: logic@phayze.com               
+QAContact: mono-bugs@ximian.com
+TargetMilestone: ---
+URL: 
+Cc: 
+Summary: Possible buffer overflow in runtime io-layer/handles.c (occurs with FreeBSD 4.5)
+
+NB: Bug report was not filed from the machine upon which the error 
+occurred, so User-Agent fields (MSIE 6.0, .NET CLR v1.0.3705) do not 
+contain accurate values.
+
+Description of Problem:
+mint crashes on at least one FreeBSD 4.5 system due to conflict between 
+what the source code expects the size of the .sun_path field of 
+sockaddr_un to be and what the actual size is. Source code has hardwired 
+size of 108; FreeBSD 4.5's structure contains only 104 bytes. This causes 
+a memcpy() at handles.c:109 to overwrite the caller's local variables.
+
+Steps to reproduce the problem:
+1. Install mono on FreeBSD 4.5
+2. Compine
+3. Run mint on a valid executable
+
+Actual Results:
+mint coredumps
+
+Expected Results:
+mint runs the binary
+
+How often does this happen? 
+always
+
+Additional Information:
+
+Line 109 of io-layer/handles.c: the size of the memcpy should be sizeof
+(shared_socket_address.sun_path) instead of hardcoded to 108. On my 
+FreeBSD 4.5 system, the first arg's size is 104, and the memcpy overwrites 
+local variables in the caller's context. I changed it to the sizeof() on 
+my local copy and recompiled, and mint worked properly.

Previous message: [Mono-bugs] [Bug 26904][Nor] Changed - -L directive doesn't override system path
Next message: [Mono-bugs] [Bug 27691][Maj] Changed - Possible buffer overflow in runtime io-layer/handles.c (occurs with FreeBSD 4.5)
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]