Buffer overflow in zts_get_ipv4_address?

[schlarpc]

My C is super rusty, but this doesn't seem right -

This makes a scratch buffer of length INET_ADDRSTRLEN to pass to InetAddress::toString:

libzt/src/ZT1Service.cpp

Line 273 in 4f6908b

char ipbuf[INET_ADDRSTRLEN];

INET_ADDRSTRLEN is 16, since an IPv4 address can be at most 15 characters.

But toString also adds the "port" - which I think is the CIDR mask of the ZT network - onto the end of the string, which means it can be 3 bytes longer, e.g. "/24":
https://github.com/zerotier/ZeroTierOne/blob/ee4783e3fb975d73aabeaa433c346aea043908a9/node/InetAddress.cpp#L132

Unless I'm missing something, that'd be writing 18 bytes into a 16 byte buffer :(

[joseph-henry]

Correct. That method has been replaced in the latest version in dev, with zts_get_address().

You can use this more generalized version below until I merge stuff back into master.

void zts_get_address(const uint64_t nwid, struct sockaddr_storage *addr, const size_t addrlen)
{
	if (!zt1Service) {
		return;
	}
	VirtualTap *tap = getTapByNWID(nwid);
	if (tap && tap->_ips.size()) {
		for (size_t i=0; i<tap->_ips.size(); i++) {
			if (tap->_ips[i].isV4()) {
				memcpy(addr, &(tap->_ips[i]), addrlen);
				return;
			}
		}
	}
}

[joseph-henry]

Another note, this function will only return the first address assignment found for this node on the given network. For the vast majority of cases this is desired but I plan to introduce an extended version of this function that will return an array of addresses. Probably when somebody asks for it.