# Understanding old C style arguments



## qmanman (Oct 29, 2018)

Hello everyone, first post after scouring these forums for months. I'm a grad student attempting to exploit CVE-2002-0973 on FreeBSD release 4.2. Since the code base I'm working with is circa the year 2000 (the year I discovered *nix....), there are some conventions that I'm hoping to get assistance with. Please bear with me on the longish post as I attempt to paint a clear picture.

A System call is issued to accept() with args. From syscalls.master:

```
30    STD    BSD    { int accept(int s, caddr_t name, int *anamelen); }
```

The next step (I believe) is accept() is called from uipc_syscalls:

```
accept(p, uap)
    struct proc *p;
    struct accept_args *uap;
{

    return (accept1(p, uap, 0));
}
```

And then accept1() is called uipc_syscalls.c

```
static int
accept1(p, uap, compat)
    struct proc *p;
    register struct accept_args /* {
        int    s;
        caddr_t    name;
        int    *anamelen;
    } */ *uap;
    int compat;
{
    struct filedesc *fdp = p->p_fd;
    struct file *fp;
    struct sockaddr *sa;
    int namelen, error, s;
    struct socket *head, *so;
    int fd;
    short fflag;        /* type must match fp->f_flag */
    /* this is the exploit portion */
    if (uap->name) {
        error = copyin((caddr_t)uap->anamelen, (caddr_t)&namelen,
            sizeof (namelen));
        if(error)
            return (error); /* patch adds two lines below this */
    }
```

One point:

Every other function in this uipc_syscalls.c starts with the comment /* ARGSUSED */ and also has the args struct commented out like accept1 above. I assuming this is an omission error with this one argument at this point.
My questions:

Since the struct "accept_args" is commented out in the function calls, is it up to the caller to ensure the proper fields are in the struct referenced by *uap? Is this struct built somewhere else in the process of the syscall? I've been searching for weeks, including dev docs and forums, regarding how function arguments become "struct  *uap", and have largely come up empty. Any help would be greatly appreciated.  
Each function also has a function declaration below the include section at the start of the file, which seems redundant because I thought the old style argument type declarations below each function took care of that.
Thank you in advance for any help


----------



## SirDice (Oct 29, 2018)

This might help: Developer's Handbook: 11.3. System Calls


----------



## _martin (Oct 29, 2018)

1) struct arg is not commented out, the argument *uap is there. The comment there is just to show how that struct looks like. And as uap is an argument to accept1() it's prepped somewhere else.

The best way is to trace this in VM, qemu or alike. Set the breakpoint to accept and trace it all down. You have src and debug symbols so you don't need to guess or RE anything.

2) Not sure what you mean - maybe it's a forward declaration ? The old style function is just about syntax:


```
int foo(char* bar) {
```
vs

```
int foo(bar)
char* bar
{
```


----------

