0x4e38 / libdnet

Automatically exported from code.google.com/p/libdnet
Other
0 stars 0 forks source link

intf_get can write past the end of the provided buffer. #14

Closed GoogleCodeExporter closed 9 years ago

GoogleCodeExporter commented 9 years ago
call intf_get() with a large enough intf_entry buffer to hold all the IPv4 
addresses but not enough room for the IPv6 addresses.

What steps will reproduce the problem?
1. The default BUFSIZ buffer in the test code is 8192, the easiest thing it 
probably to shrink this.
2. Add Enough IPv4 addresses to an interface so that when you run ./dnet intf 
get <intf> The buffer will be almost full but not quite (< sizeof(struct addr) 
left)
3. Add one or more IPv6 addresses to the same interface
4. re-run dnet intf get <intf>

What is the expected output? What do you see instead?

What version of the product are you using? On what operating system?
libdent-1.11, Linux 2.6.29-gentoo-r5 i686

Please provide any additional information below.
I believe this patch will fix the issue. This is how the IPv4 loop, in the same 
function, makes sure it does not walk off the end of the buffer also.

Index: src/intf.c
===================================================================
--- src/intf.c  (revision 12767)
+++ src/intf.c  (working copy)
@@ -531,7 +531,7 @@
        u_int idx, bits, scope, flags;

        if ((f = fopen(PROC_INET6_FILE, "r")) != NULL) {
-           while (ap < lap &&
+           while ((ap + 1) < lap &&
                   fgets(buf, sizeof(buf), f) != NULL) {
                sscanf(buf, "%04s%04s%04s%04s%04s%04s%04s%04s %02x %02x %02x %02x %32s\n",
                    s[0], s[1], s[2], s[3], s[4], s[5], s[6], s[7],

Original issue reported on code.google.com by swsia...@gmail.com on 7 Oct 2010 at 9:28

GoogleCodeExporter commented 9 years ago
Submitted for approval

Original comment by jay.f...@gmail.com on 11 Oct 2010 at 10:05

GoogleCodeExporter commented 9 years ago

Original comment by jay.f...@gmail.com on 11 Oct 2010 at 10:05

GoogleCodeExporter commented 9 years ago
Patch approved and committed.

Original comment by jay.f...@gmail.com on 13 Oct 2010 at 12:41

GoogleCodeExporter commented 9 years ago

Original comment by jay.f...@gmail.com on 13 Oct 2010 at 12:41