This is the mail archive of the
glibc-bugs@sourceware.org
mailing list for the glibc project.
[Bug network/18665] New: In send_dg, the recvfrom function is NOT always using the buffer size of a newly created buffer.
- From: "rhollida at ciena dot com" <sourceware-bugzilla at sourceware dot org>
- To: glibc-bugs at sourceware dot org
- Date: Mon, 13 Jul 2015 23:41:12 +0000
- Subject: [Bug network/18665] New: In send_dg, the recvfrom function is NOT always using the buffer size of a newly created buffer.
- Auto-submitted: auto-generated
https://sourceware.org/bugzilla/show_bug.cgi?id=18665
Bug ID: 18665
Summary: In send_dg, the recvfrom function is NOT always using
the buffer size of a newly created buffer.
Product: glibc
Version: 2.20
Status: NEW
Severity: normal
Priority: P2
Component: network
Assignee: unassigned at sourceware dot org
Reporter: rhollida at ciena dot com
Target Milestone: ---
description:
When the thisanssizp pointer variable on line 1257 is updated, thisanssizp =
anssizp2, i.e assigned a new address,
this change causes the thisanssizp pointer variable used in the recvfrom
function on line 1282 to use the
wrong size if a new buffer is created after the thisanssizp address has been
changed at line 1257.
The size of the buffer used will be what was stored at the address assigned at
line 1257, and not the size of the newly created buffer.
The program will crash if the calculated size of the buffer used is 0. The
recvfrom function will
not crash, but any further accesses to the buffer where the bytes read was 0
from the recvfrom function
will crash the program.
Initially at line 1230:
thisanssizp = anssizp;
-the thisanssizp gets assigned the address of anssizp when the send_dg function
is first called.
At line 1257:
thisanssizp = anssizp2;
-the thisanssizp address gets updated after we have received a packet.
At line 1273:
*anssizp = MAXPACKET;
-the size of a new packet is assigned to *anssizp, and not *thisanssizp, when a
new buffer is created.
At line 1282:
recvfrom(pfd[0].fd, (char*)*thisansp, *thisanssizp,
-the recvfrom function uses the size from *thisanssizp which is wrong.
-it can be seen here that thisansp will contain the address of a newly created
buffer, but the *thisanssizp, will contain the size from the aligned_resplen,
instead of MAXPACKET.
Fix:
Use the size pointer *thisanssizp, instead of *thisansp, when creating the new
buffer.
u_char *newp = malloc (MAXPACKET);
if (newp != NULL) {
<*anssizp = MAXPACKET;> :REMOVED LINE:
*thisanssizp = MAXPACKET; :ADDED LINE:
*thisansp = ans = newp;
if (thisansp == ansp2)
*ansp2_malloced = 1;
--
You are receiving this mail because:
You are on the CC list for the bug.