This is the mail archive of the mailing list for the glibc project.

Index Nav: [Date Index] [Subject Index] [Author Index] [Thread Index]
Message Nav: [Date Prev] [Date Next] [Thread Prev] [Thread Next]
Other format: [Raw text]

[Bug libc/9881] New: check memory space in inet6_rth_add()

Add the checking for two reasons:
1)if not check, it may cause segmentation fault.
2)if not check, errorous packets will be send to the netwok,
  without any compiler error. 
  But after adding the check, we can find the problem ASAP.

  for example: (contribute a Router Header using)
    inet6_rth_init(buffer, 24, 0, 0)
    inet6_rth_add(buffer, IpAddr)

Signed-off-by: Yang Hongyang <>

---	2009-01-11 22:51:33.000000000 +0800
+++ glibc-2.5-20061008T1257/inet/inet6_rth.c	2009-01-11 23:19:45.000000000 +0800
@@ -87,12 +87,16 @@ int
 inet6_rth_add (void *bp, const struct in6_addr *addr)
   struct ip6_rthdr *rthdr = (struct ip6_rthdr *) bp;
+  struct ip6_rthdr0 *rthdr0;
+  rthdr0 = (struct ip6_rthdr0 *) rthdr;
+  if (rthdr0->ip6r0_len * 8 / sizeof (struct in6_addr) \
+        - rthdr0->ip6r0_segleft < 1)
+        return -1;
   switch (rthdr->ip6r_type)
-      struct ip6_rthdr0 *rthdr0;
     case IPV6_RTHDR_TYPE_0:
-      rthdr0 = (struct ip6_rthdr0 *) rthdr;
       memcpy (&rthdr0->ip6r0_addr[rthdr0->ip6r0_segleft++],
 	      addr, sizeof (struct in6_addr));

           Summary: check memory space in inet6_rth_add()
           Product: glibc
           Version: unspecified
            Status: NEW
          Severity: normal
          Priority: P2
         Component: libc
        AssignedTo: drepper at redhat dot com
        ReportedBy: yanghy at cn dot fujitsu dot com
                CC: glibc-bugs at sources dot redhat dot com,yanghy at cn
                    dot fujitsu dot com

------- You are receiving this mail because: -------
You are on the CC list for the bug, or are watching someone who is.

Index Nav: [Date Index] [Subject Index] [Author Index] [Thread Index]
Message Nav: [Date Prev] [Date Next] [Thread Prev] [Thread Next]