bin/45661: Overlapping buffer in route.c.

To: gnats-admin%netbsd.org@localhost,netbsd-bugs%netbsd.org@localhost
Subject: bin/45661: Overlapping buffer in route.c.
From: henning.petersen%t-online.de@localhost
Date: Sun, 27 Nov 2011 08:30:01 +0000 (UTC)

>Number:         45661
>Category:       bin
>Synopsis:       Overlapping buffer in route.c.
>Confidential:   no
>Severity:       serious
>Priority:       medium
>Responsible:    bin-bug-people
>State:          open
>Class:          sw-bug
>Submitter-Id:   net
>Arrival-Date:   Sun Nov 27 08:30:01 +0000 2011
>Originator:     Henning Petersen
>Release:        NetBSD-current
>Organization:
>Environment:
>Description:
Overlapping buffer in route.c with undefined behavior.
>How-To-Repeat:

>Fix:
diff -u -p -r1.134 route.c
--- sbin/route/route.c  11 Nov 2011 15:09:32 -0000      1.134
+++ sbin/route/route.c  19 Nov 2011 12:55:04 -0000
@@ -476,6 +476,7 @@ routename(const struct sockaddr *sa, str
        static int first = 1;
        struct in_addr in;
        int nml;
+       size_t len;
 
        if ((flags & RTF_HOST) == 0)
                return netname(sa, nm);
@@ -599,10 +600,11 @@ routename(const struct sockaddr *sa, str
 
                snprintf(line, sizeof(line), "%u", ms.shim.label);
                pms = &((const struct sockaddr_mpls*)sa)->smpls_addr;
+               len = strlen(line);
                while(psize < sa->sa_len) {
                        pms++;
                        ms.s_addr = ntohl(pms->s_addr);
-                       snprintf(line, sizeof(line), "%s %u", line,
+                       snprintf(line + len, sizeof(line) - len, " %u",
                            ms.shim.label);
                        psize += sizeof(ms);
                }

Prev by Date: bin/45660: Overlapping buffer in catman.c.
Next by Date: bin/45662: Overlapping buffer in lpd_command.c.
Previous by Thread: bin/45660: Overlapping buffer in catman.c.
Next by Thread: bin/45662: Overlapping buffer in lpd_command.c.
Indexes:

Home | Main Index | Thread Index | Old Index