Buffer Copy without Checking Size of Input (CVE-2016-6559)

To: tech-security%netbsd.org@localhost
Subject: Buffer Copy without Checking Size of Input (CVE-2016-6559)
From: Pierre Pronchery <khorben%defora.org@localhost>
Date: Tue, 6 Dec 2016 18:22:46 +0100

			Hi tech-security,

I just noticed this post:
https://www.kb.cert.org/vuls/id/548487

Apparently NetBSD is vulnerable too:

src/lib/libc/net/linkaddr.c:
137 char *
138 link_ntoa(const struct sockaddr_dl *sdl)
139 {
140         static char obuf[64];
141         register char *out = obuf;
142         register size_t i;
143         const u_char *in = (const u_char *)CLLADDR(sdl);
144         const u_char *inlim = in + sdl->sdl_alen;
145         int firsttime = 1;
146
147         _DIAGASSERT(sdl != NULL);
148
149         if (sdl->sdl_nlen) {

150 (void)memcpy(obuf, sdl->sdl_data,(size_t)sdl->sdl_nlen);


(ouch)

Is someone working on this?

Cheers,
--
khorben

Follow-Ups:
- Re: Buffer Copy without Checking Size of Input (CVE-2016-6559)
  - From: kuehro

Prev by Date: Re: [oss-security] CVE Request: Denial-of-Service / Unexploitable Memory Corruption in mmap() on OpenBSD
Next by Date: Re: Buffer Copy without Checking Size of Input (CVE-2016-6559)
Previous by Thread: Fw: [oss-security] CVE Request: Denial-of-Service / Unexploitable Memory Corruption in mmap() on OpenBSD
Next by Thread: Re: Buffer Copy without Checking Size of Input (CVE-2016-6559)
Indexes:

Home | Main Index | Thread Index | Old Index