Source-Changes-HG archive

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index][Old Index]

[src/trunk]: src/lib/libc/net Actually guarantee that the returned buffer fro...



details:   https://anonhg.NetBSD.org/src/rev/a02a06b34b88
branches:  trunk
changeset: 819476:a02a06b34b88
user:      kre <kre%NetBSD.org@localhost>
date:      Wed Dec 07 09:52:34 2016 +0000

description:
Actually guarantee that the returned buffer from link_ntoa() is always
NUL terminated, even when called by malicious/broken applications.

diffstat:

 lib/libc/net/linkaddr.c |  19 +++++++++++++++++--
 1 files changed, 17 insertions(+), 2 deletions(-)

diffs (40 lines):

diff -r 28564fae1856 -r a02a06b34b88 lib/libc/net/linkaddr.c
--- a/lib/libc/net/linkaddr.c   Wed Dec 07 04:58:39 2016 +0000
+++ b/lib/libc/net/linkaddr.c   Wed Dec 07 09:52:34 2016 +0000
@@ -1,4 +1,4 @@
-/*     $NetBSD: linkaddr.c,v 1.20 2016/12/07 03:16:45 christos Exp $   */
+/*     $NetBSD: linkaddr.c,v 1.21 2016/12/07 09:52:34 kre Exp $        */
 
 /*-
  * Copyright (c) 1990, 1993
@@ -34,7 +34,7 @@
 #if 0
 static char sccsid[] = "@(#)linkaddr.c 8.1 (Berkeley) 6/4/93";
 #else
-__RCSID("$NetBSD: linkaddr.c,v 1.20 2016/12/07 03:16:45 christos Exp $");
+__RCSID("$NetBSD: linkaddr.c,v 1.21 2016/12/07 09:52:34 kre Exp $");
 #endif
 #endif /* LIBC_SCCS and not lint */
 
@@ -153,6 +153,21 @@
                *out++ = (ch); \
        } while (/*CONSTCOND*/0)
 
+       /*
+        * This is not needed on the first call, as the static
+        * obuf wil be fully init'd to 0 by default.   But after
+        * obuf has been returned to userspace the first time,
+        * anything may have been written to it, so, let's be safe.
+        *
+        * (An alternative method would be to make ADDC() more
+        *  complex:
+        *      if (out < obuf + sizeof(obuf) - ((ch) != '\0'))
+        *              *out++ = (ch);
+        *  so it never returns, and the final ACCD(0) always works
+        *  but that evaluates 'ch' twice, and is slower, so ...)
+        */
+       obuf[sizeof(obuf) - 1] = '\0';
+
        if (sdl->sdl_nlen) {
                if (sdl->sdl_nlen >= sizeof(obuf))
                        i = sizeof(obuf) - 1;



Home | Main Index | Thread Index | Old Index