FreeBSD VuXML: Documenting security issues in FreeBSD and the FreeBSD Ports Collection

fd_set -- bitmap index overflow in multiple applications

Affected packages
gatekeeper < 2.2.1
citadel < 6.29
3proxy < 0.5.b
jabber < 1.4.3.1_1,1
jabber = 1.4.4
bnc < 2.9.3
rinetd < 0.62_1
dante < 1.1.15
bld < 0.3.3

Details

VuXML ID 4c005a5e-2541-4d95-80a0-00c76919aa66
Discovery 2004-12-12
Entry 2005-06-17
Modified 2006-09-03

3APA3A reports:

If programmer fails to check socket number before using select() or fd_set macros, it's possible to overwrite memory behind fd_set structure. Very few select() based application actually check FD_SETSIZE value. [...]

Depending on vulnerable application it's possible to overwrite portions of memory. Impact is close to off-by-one overflows, code execution doesn't seems exploitable.

References

Message 1473827718.20050124233008@security.nnov.ru
URL http://www.gotbnc.com/changes.html#2.9.3
URL http://www.security.nnov.ru/advisories/sockets.asp