#
330505 |
|
05-Mar-2018 |
dab |
MFC r330027
iconv uses strlen directly on user supplied memory
`iconv_sysctl_add` from `sys/libkern/iconv.c` incorrectly limits the size of user strings, such that several out of bounds reads could have been possible.
static int iconv_sysctl_add(SYSCTL_HANDLER_ARGS) { struct iconv_converter_class *dcp; struct iconv_cspair *csp; struct iconv_add_in din; struct iconv_add_out dout; int error;
error = SYSCTL_IN(req, &din, sizeof(din)); if (error) return error; if (din.ia_version != ICONV_ADD_VER) return EINVAL; if (din.ia_datalen > ICONV_CSMAXDATALEN) return EINVAL; if (strlen(din.ia_from) >= ICONV_CSNMAXLEN) return EINVAL; if (strlen(din.ia_to) >= ICONV_CSNMAXLEN) return EINVAL; if (strlen(din.ia_converter) >= ICONV_CNVNMAXLEN) return EINVAL; ...
Since the `din` struct is directly copied from userland, there is no guarantee that the strings supplied will be NULL terminated. The `strlen` calls could continue reading past the designated buffer sizes.
Declaration of `struct iconv_add_in` is found in `sys/sys/iconv.h`:
struct iconv_add_in { int ia_version; char ia_converter[ICONV_CNVNMAXLEN]; char ia_to[ICONV_CSNMAXLEN]; char ia_from[ICONV_CSNMAXLEN]; int ia_datalen; const void *ia_data; };
Our strings are followed by the `ia_datalen` member, which is checked before the `strlen` calls:
if (din.ia_datalen > ICONV_CSMAXDATALEN)
Since `ICONV_CSMAXDATALEN` has value `0x41000` (and is `unsigned`), this ensures that `din.ia_datalen` contains at least 1 byte of 0, so it is not possible to trigger a read out of bounds of the `struct` however, this code is fragile and could introduce subtle bugs in the future if the `struct` is ever modified.
PR: 207302 Submitted by: CTurt <cturt@hardenedbsd.org> Reported by: CTurt <cturt@hardenedbsd.org> Sponsored by: Dell EMC
|
#
302408 |
|
07-Jul-2016 |
gjb |
Copy head@r302406 to stable/11 as part of the 11.0-RELEASE cycle. Prune svn:mergeinfo from the new branch, as nothing has been merged here.
Additional commits post-branch will follow.
Approved by: re (implicit) Sponsored by: The FreeBSD Foundation |
#
267291 |
|
09-Jun-2014 |
jhb |
Use strcasecmp() instead of strcmp() when checking user-supplied encoding names so that encoding names are treated as case-insensitive. This allows the use of 'utf-8' instead of 'UTF-8' for example and matches the behavior of iconv(1).
PR: 167977 Submitted by: buganini@gmail.com MFC after: 1 week
|
#
258752 |
|
29-Nov-2013 |
eadler |
Fix typo
Reported by: emaste
|
#
258751 |
|
29-Nov-2013 |
eadler |
Fix typo
Reported by: swildner@DragonFlyBSD.org
|
#
236899 |
|
11-Jun-2012 |
mjg |
Fix unloading of libiconv module.
Previously it would either loop infinitely or exit with error leaking a lock.
Reported by: Will DeVries Approved by: trasz (mentor) MFC after: 1 week
|
#
235712 |
|
21-May-2012 |
kevlo |
Fix broken ref count
Submitted by: gcooper
|
#
235711 |
|
21-May-2012 |
kevlo |
Fix improper handling of variadic args with ICDEBUG
PR: kern/168095 Submitted by: gcooper
|
#
227650 |
|
18-Nov-2011 |
kevlo |
Add unicode support to msdosfs and smbfs; original pathes from imura, bug fixes by Kuan-Chung Chiu <buganini at gmail dot com>.
Tested by me in production for several days at work.
|
#
227293 |
|
07-Nov-2011 |
ed |
Mark MALLOC_DEFINEs static that have no corresponding MALLOC_DECLAREs.
This means that their use is restricted to a single C file.
|
#
206361 |
|
07-Apr-2010 |
joel |
Switch to our preferred 2-clause BSD license.
Approved by: bp
|
#
194638 |
|
22-Jun-2009 |
delphij |
Split tolower/toupper code from usual xlat16 kiconv table, and make it possible to do tolower/toupper independently without code conversion.
Submitted by: imura (but bugs are mine) Obtained from: http://people.freebsd.org/~imura/kiconv/ (1_kiconv_wctype_kern.diff, 1_kiconv_wctype_user.diff)
|
#
185652 |
|
05-Dec-2008 |
jhb |
Add simple locking for the in-kernel iconv code. Translation operations do not need any locking. Opening and closing translators is serialized using an sx lock.
Note: This depends on the earlier fix to kern_module.c to properly order MOD_UNLOAD events.
MFC after: 2 months
|
#
151897 |
|
31-Oct-2005 |
rwatson |
Normalize a significant number of kernel malloc type names:
- Prefer '_' to ' ', as it results in more easily parsed results in memory monitoring tools such as vmstat.
- Remove punctuation that is incompatible with using memory type names as file names, such as '/' characters.
- Disambiguate some collisions by adding subsystem prefixes to some memory types.
- Generally prefer lower case to upper case.
- If the same type is defined in multiple architecture directories, attempt to use the same name in additional cases.
Not all instances were caught in this change, so more work is required to finish this conversion. Similar changes are required for UMA zone names.
|
#
149415 |
|
24-Aug-2005 |
imura |
- Fix checking range of strings of struct iconv_add_in in libsmb and libkiconv, - Add checking range of strings to iconv_sysctl_add().
Submitted by: Rudolf Cejka
|
#
148342 |
|
23-Jul-2005 |
imura |
Temporary restore a part of rev 1.6. We must not increase a capability of buffer size here, because codes which call these functions expect that dst and src are the same size. This will cause problem when someone convert a character whose length is different between charsets on smbfs which was changed to use xlat16 converter.
|
#
139815 |
|
06-Jan-2005 |
imp |
/* -> /*- for copyright notices, minor format tweaks as necessary
|
#
132710 |
|
27-Jul-2004 |
phk |
Convert the vfsconf list to a TAILQ.
Introduce vfs_byname() function to find things on it.
Staticize vfs_nmount() function under the name vfs_donmount().
Various cleanups.
|
#
120492 |
|
26-Sep-2003 |
fjoe |
- Support for multibyte charsets in LIBICONV. - CD9660_ICONV, NTFS_ICONV and MSDOSFS_ICONV kernel options (with corresponding modules). - kiconv(3) for loadable charset conversion tables support.
Submitted by: Ryuichiro Imura <imura@ryu16.org>
|
#
116189 |
|
11-Jun-2003 |
obrien |
Use __FBSDID().
|
#
111119 |
|
19-Feb-2003 |
imp |
Back out M_* changes, per decision of the TRB.
Approved by: trb
|
#
109623 |
|
21-Jan-2003 |
alfred |
Remove M_TRYWAIT/M_WAITOK/M_WAIT. Callers should use 0. Merge M_NOWAIT/M_DONTWAIT into a single flag M_NOWAIT.
|
#
104568 |
|
06-Oct-2002 |
mux |
Fix a bunch of s/int */size_t */.
|
#
100080 |
|
15-Jul-2002 |
markm |
Convert GNU variadic macros to the ISO 9X variety.
|
#
75332 |
|
09-Apr-2001 |
bp |
Add function prototypes and base module for kernel side iconv library. Add simple "xlat" converter which performs 8to8 table based conversion. Unicode converter will be added in the near future.
Reviewed by: silence on arch@ Files placement reviewed by: bde Obtained from: smbfs
|