Hello everyone, first post after scouring these forums for months. I'm a grad student attempting to exploit CVE-2002-0973 on FreeBSD release 4.2. Since the code base I'm working with is circa the year 2000 (the year I discovered *nix....), there are some conventions that I'm hoping to get assistance with. Please bear with me on the longish post as I attempt to paint a clear picture.
A System call is issued to accept() with args. From syscalls.master:
The next step (I believe) is accept() is called from uipc_syscalls:
And then accept1() is called uipc_syscalls.c
One point:
A System call is issued to accept() with args. From syscalls.master:
C:
30 STD BSD { int accept(int s, caddr_t name, int *anamelen); }
The next step (I believe) is accept() is called from uipc_syscalls:
Code:
accept(p, uap)
struct proc *p;
struct accept_args *uap;
{
return (accept1(p, uap, 0));
}
And then accept1() is called uipc_syscalls.c
C:
static int
accept1(p, uap, compat)
struct proc *p;
register struct accept_args /* {
int s;
caddr_t name;
int *anamelen;
} */ *uap;
int compat;
{
struct filedesc *fdp = p->p_fd;
struct file *fp;
struct sockaddr *sa;
int namelen, error, s;
struct socket *head, *so;
int fd;
short fflag; /* type must match fp->f_flag */
/* this is the exploit portion */
if (uap->name) {
error = copyin((caddr_t)uap->anamelen, (caddr_t)&namelen,
sizeof (namelen));
if(error)
return (error); /* patch adds two lines below this */
}
One point:
- Every other function in this uipc_syscalls.c starts with the comment /* ARGSUSED */ and also has the args struct commented out like accept1 above. I assuming this is an omission error with this one argument at this point.
- Since the struct "accept_args" is commented out in the function calls, is it up to the caller to ensure the proper fields are in the struct referenced by *uap? Is this struct built somewhere else in the process of the syscall? I've been searching for weeks, including dev docs and forums, regarding how function arguments become "struct *uap", and have largely come up empty. Any help would be greatly appreciated.
- Each function also has a function declaration below the include section at the start of the file, which seems redundant because I thought the old style argument type declarations below each function took care of that.