This is the mail archive of the
libc-alpha@sourceware.org
mailing list for the glibc project.
Re: [PATCH][BZ #15698] Fix memory overrun in getifaddrs_internal.
- From: "H.J. Lu" <hjl dot tools at gmail dot com>
- To: Ondřej Bílka <neleai at seznam dot cz>
- Cc: GNU C Library <libc-alpha at sourceware dot org>
- Date: Tue, 8 Oct 2013 10:13:28 -0700
- Subject: Re: [PATCH][BZ #15698] Fix memory overrun in getifaddrs_internal.
- Authentication-results: sourceware.org; auth=none
- References: <20131008165738 dot GA14975 at domone dot podge>
On Tue, Oct 8, 2013 at 9:57 AM, OndÅej BÃlka <neleai@seznam.cz> wrote:
> Hi, a code at https://sourceware.org/bugzilla/show_bug.cgi?id=15698
> contains a simple off-by-one error when preflen is divisible by 8.
>
> Following code should fix this, as preflen is unsigned I added check for
> zero len to be sure we do not cause underflow.
>
> OK to commit?
>
> * sysdeps/unix/sysv/linux/ifaddrs.c (getifaddrs_internal): Fix
> memory overrun.
Missing BZ #.
> diff --git a/sysdeps/unix/sysv/linux/ifaddrs.c b/sysdeps/unix/sysv/linux/ifaddrs.c
> index 89fda15..09676de 100644
> --- a/sysdeps/unix/sysv/linux/ifaddrs.c
> +++ b/sysdeps/unix/sysv/linux/ifaddrs.c
> @@ -780,7 +780,7 @@ getifaddrs_internal (struct ifaddrs **ifap)
> else
> preflen = ifam->ifa_prefixlen;
>
> - for (i = 0; i < (preflen / 8); i++)
> + for (i = 0; preflen && i < ((preflen - 1) / 8); i++)
> *cp++ = 0xff;
> c = 0xff;
> c <<= (8 - (preflen % 8));
I don't think it is correct for netmask. When
preflen == max_prefixlen, netmask should be all 1's.
Something like:
for (i = 0; i < (preflen / 8); i++)
*cp++ = 0xff;
if (preflen != max_prefixlen)
{
c = 0xff;
c <<= (8 - (preflen % 8));
*cp = c;
}
BTW, max_prefixlen is always > 0 when cp != NULL.
--
H.J.