Hi, I would like more clarification to be provided about who/what is affected by this patch.
As we can see, amd64 is not affected: ( 9.3-RELEASE, md5 c4605d83b454c7633149a4eb3baa8b83 ) .text:FFFFFFFF80A04AA6 mov r14, [rbp+var_88] .text:FFFFFFFF80A04AAD add cs:igmpstat_0.igps_rcv_v3_queries, 1 .text:FFFFFFFF80A04AB5 movzx ecx, word ptr [r14+0Ah] .text:FFFFFFFF80A04ABA rol cx, 8 .text:FFFFFFFF80A04ABE movzx ebx, cx ; rbx = ((u64)(u16)ntohs(igmp_numsrc)) << 2 .text:FFFFFFFF80A04AC1 shl rbx, 2 ; rdi = (u16)(((u64)(u16)ntohs(igmp_numsrc)) << 2) .text:FFFFFFFF80A04AC5 movzx edi, bx .text:FFFFFFFF80A04AC8 mov ecx, ebx .text:FFFFFFFF80A04ACA cmp rbx, rdi ; u64 compare .text:FFFFFFFF80A04ACD ja fail_igps_rcv_tooshort This is because the result type of ntohs is the same as uint16_t, and the result of sizeof() is size_t. Because of this, 32bit x86 should not be vulnerable either. I can only assume platforms where the int type is <= 16bits may actually be vulnerable. I have no idea if freebsd actually uses such configurations. I think this information should be clarified in the security advisories (which in this case, only give explicit details on how to patch "a RELEASE version of FreeBSD on the i386 or amd64 platforms" - which are not affected afaict). -Shawn _______________________________________________ freebsd-security@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-security To unsubscribe, send any mail to "freebsd-security-unsubscr...@freebsd.org"
