Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

intf_get can write past the end of the provided buffer. #14

Closed
GoogleCodeExporter opened this issue Jun 14, 2015 · 4 comments
Closed

intf_get can write past the end of the provided buffer. #14

GoogleCodeExporter opened this issue Jun 14, 2015 · 4 comments
Labels
auto-migrated Priority-Medium Type-Defect

Comments

@GoogleCodeExporter
Copy link 

call intf_get() with a large enough intf_entry buffer to hold all the IPv4 
addresses but not enough room for the IPv6 addresses.

What steps will reproduce the problem?
1. The default BUFSIZ buffer in the test code is 8192, the easiest thing it 
probably to shrink this.
2. Add Enough IPv4 addresses to an interface so that when you run ./dnet intf 
get <intf> The buffer will be almost full but not quite (< sizeof(struct addr) 
left)
3. Add one or more IPv6 addresses to the same interface
4. re-run dnet intf get <intf>

What is the expected output? What do you see instead?


What version of the product are you using? On what operating system?
libdent-1.11, Linux 2.6.29-gentoo-r5 i686

Please provide any additional information below.
I believe this patch will fix the issue. This is how the IPv4 loop, in the same 
function, makes sure it does not walk off the end of the buffer also.

Index: src/intf.c
===================================================================
--- src/intf.c  (revision 12767)
+++ src/intf.c  (working copy)
@@ -531,7 +531,7 @@
        u_int idx, bits, scope, flags;

        if ((f = fopen(PROC_INET6_FILE, "r")) != NULL) {
-           while (ap < lap &&
+           while ((ap + 1) < lap &&
                   fgets(buf, sizeof(buf), f) != NULL) {
                sscanf(buf, "%04s%04s%04s%04s%04s%04s%04s%04s %02x %02x %02x %02x %32s\n",
                    s[0], s[1], s[2], s[3], s[4], s[5], s[6], s[7],

Original issue reported on code.google.com by swsia...@gmail.com on 7 Oct 2010 at 9:28
@GoogleCodeExporter
Copy link
Author 

Submitted for approval

Original comment by jay.f...@gmail.com on 11 Oct 2010 at 10:05

  • Changed state: Accepted

@GoogleCodeExporter
Copy link
Author

Original comment by jay.f...@gmail.com on 11 Oct 2010 at 10:05

@GoogleCodeExporter
Copy link
Author 

Patch approved and committed.

Original comment by jay.f...@gmail.com on 13 Oct 2010 at 12:41

@GoogleCodeExporter
Copy link
Author

Original comment by jay.f...@gmail.com on 13 Oct 2010 at 12:41

  • Changed state: Verified

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
auto-migrated Priority-Medium Type-Defect
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
1 participant
@GoogleCodeExporter