tech-net archive

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index][Old Index]

nd6_rtr.c possible buffer overflow ?



Hi All,


From nd6_rtr.c:

        memset(&ifra, 0, sizeof(ifra));
        /*
         * in6_update_ifa() does not use ifra_name, but we accurately set it
         * for safety.
         */
        strncpy(ifra.ifra_name, if_name(ifp), sizeof(ifra.ifra_name));
        sockaddr_in6_init(&ifra.ifra_addr, &pr->ndpr_prefix.sin6_addr, 0, 0, 0);
        /* prefix */
        ifra.ifra_addr.sin6_addr.s6_addr32[0] &= mask.s6_addr32[0];
        ifra.ifra_addr.sin6_addr.s6_addr32[1] &= mask.s6_addr32[1];
        ifra.ifra_addr.sin6_addr.s6_addr32[2] &= mask.s6_addr32[2];
        ifra.ifra_addr.sin6_addr.s6_addr32[3] &= mask.s6_addr32[3];

Assuming that if_name(ifp) is the maximum size, wouldn't that possibly lead to
an unterminated string.

In such a case, wouldn't strlcpy be better ?

Index: src/sys/netinet6/nd6_rtr.c
===================================================================
RCS file: /cvsroot/src/sys/netinet6/nd6_rtr.c,v
retrieving revision 1.90
diff -u -p -r1.90 nd6_rtr.c
--- src/sys/netinet6/nd6_rtr.c  14 Sep 2013 21:08:35 -0000      1.90
+++ src/sys/netinet6/nd6_rtr.c  3 Oct 2013 15:50:40 -0000
@@ -1868,7 +1868,7 @@ in6_ifadd(struct nd_prefixctl *pr, int m
         * in6_update_ifa() does not use ifra_name, but we accurately set it
         * for safety.
         */
-       strncpy(ifra.ifra_name, if_name(ifp), sizeof(ifra.ifra_name));
+       strlcpy(ifra.ifra_name, if_name(ifp), sizeof(ifra.ifra_name));
        sockaddr_in6_init(&ifra.ifra_addr, &pr->ndpr_prefix.sin6_addr, 0, 0, 0);
        /* prefix */
        ifra.ifra_addr.sin6_addr.s6_addr32[0] &= mask.s6_addr32[0];


Home | Main Index | Thread Index | Old Index