>Number: 172279
>Category: misc
>Synopsis: OpenBSM-21/openbsm/libbsm/bsm_token.c au_to_process32_ex
>documentation is incorrect
>Confidential: no
>Severity: non-critical
>Priority: low
>Responsible: freebsd-bugs
>State: open
>Quarter:
>Keywords:
>Date-Required:
>Class: sw-bug
>Submitter-Id: current-users
>Arrival-Date: Tue Oct 02 17:10:14 UTC 2012
>Closed-Date:
>Last-Modified:
>Originator: Daniel U. Thibault
>Release:
>Organization:
DRDC Valcartier
>Environment:
>Description:
The au_to_process32_ex function of bsm_token.c (a component of the current
libbsm implementation) reads in part:
/*
[...]
* machine address 16 bytes
*/
token_t *
au_to_process32_ex(au_id_t auid, uid_t euid, gid_t egid, uid_t ruid,
gid_t rgid, pid_t pid, au_asid_t sid, au_tid_addr_t *tid)
{
[...]
if (tid->at_type == AU_IPv4)
GET_TOKEN_AREA(t, dptr, sizeof(u_char) +
10 * sizeof(u_int32_t));
else if (tid->at_type == AU_IPv6)
GET_TOKEN_AREA(t, dptr, sizeof(u_char) +
13 * sizeof(u_int32_t));
[...]
if (tid->at_type == AU_IPv6) {
ADD_MEM(dptr, &tid->at_addr[1], sizeof(u_int32_t));
ADD_MEM(dptr, &tid->at_addr[2], sizeof(u_int32_t));
ADD_MEM(dptr, &tid->at_addr[3], sizeof(u_int32_t));
}
Clearly the token's size is variable, unlike what the preamble says.
>How-To-Repeat:
Look up
http://www.opensource.apple.com/source/OpenBSM/OpenBSM-21/openbsm/libbsm/bsm_token.c
and search for au_to_process32_ex.
>Fix:
Change the au_to_process32_ex preamble to conclude with:
* machine address 4 bytes/16 bytes (depending on address type-len)
*/
>Release-Note:
>Audit-Trail:
>Unformatted:
_______________________________________________
[email protected] mailing list
http://lists.freebsd.org/mailman/listinfo/freebsd-bugs
To unsubscribe, send any mail to "[email protected]"
