COMMAND

    sendmsg(2)

SYSTEMS AFFECTED

    NetBSD all releases of NetBSD from 1.3 to 1.5, and -current

PROBLEM

    Following  is  based  on  a  NetBSD  Security  Advisory  2000-011.
    Due to insufficient length checking in the kernel, sendmsg(2)  can
    be used  by a  local user  to cause  a kernel  trap, or an 'out of
    space in kmem_map' panic.

    sendmsg(2) can be used to  send data through a socket,  optionally
    specifying destination address and control information.

    sendmsg(2) accepts a pointer to struct msghdr, which holds further
    information for the call.   The pointer to control information  is
    passed via  msg_control, msg_controllen  helds the  length of  the
    control information.  This is used to read the control information
    into kernel space  and put it  in an mbuf  for further processing.
    However, the kernel attempts to allocate mbuf storage as specified
    in msg_controllen without further  checks.  This behaviour  can be
    abused to cause a  kernel page fault trap  if the value is  higher
    than INT_MAX, or to cause an 'out of space in kmem_map' panic  for
    lower  values.   The  exact  size  to  cause  the  latter  is port
    dependant, though INT_MAX is commonly enough to trigger the panic.

    Credit  goes  to  Jaromir  Dolecek  for  finding  the problem, and
    supplying a test program showing the problem and Matt Thomas for a
    fix.

SOLUTION

    All  NetBSD  official  releases  from  1.3 are vulnerable.  Kernel
    sources must  be updated  and a  new kernel  built and  installed.
    The  instructions  for  updating  your  kernel sources depend upon
    which particular NetBSD release you are running.

    Systems running NetBSD-current dated from before 2001-07-01 should
    be  upgraded  to  NetBSD-current  dated  2001-07-01 or later.  The
    following  source  directories  need   to  be  updated  from   the
    netbsd-current CVS branch (aka HEAD):

        src/sys/kern

    Alternatively, apply  the following  patch (with  potential offset
    differences):

        ftp://ftp.netbsd.org/pub/NetBSD/security/patches/SA2001-011-sendmsg-current.patch

    Systems running NetBSD 1.5 dated from before 2001-07-02 should  be
    upgraded from NetBSD 1.5 sources  dated 2001-07-02 or later.   The
    following source directory needs to be updated from the netbsd-1-5
    CVS branch:

        src/sys/kern

    Alternatively, apply  the following  patch (with  potential offset
    differences):

        ftp://ftp.netbsd.org/pub/NetBSD/security/patches/SA2001-011-sendmsg-1.3-1.5.patch

    NetBSD 1.5.1 is not vulnerable.  Systems running NetBSD 1.4  dated
    from before 2001-07-19 should be upgraded from NetBSD 1.4  sources
    dated 2001-07-19 or later.   The following source directory  needs
    to be updated from the netbsd-1-4 CVS branch:

        src/sys/kern

    Alternatively, apply  the following  patch (with  potential offset
    differences):

        ftp://ftp.netbsd.org/pub/NetBSD/security/patches/SA2001-011-sendmsg-1.3-1.5.patch

    For NetBSD 1.3, 1.3.1, 1.3.2  and 1.3.3 apply the following  patch
    (with potential offset differences):

        ftp://ftp.netbsd.org/pub/NetBSD/security/patches/SA2001-011-sendmsg-1.3-1.5.patch