From: Hans Dedecker Date: Tue, 7 Feb 2017 21:32:57 +0000 (+0100) Subject: odhcp6c: fix possible stack corruption when parsing proc if_inet6 X-Git-Url: https://git.librecmc.org/?a=commitdiff_plain;h=cfd986c389c59cc8199a42bd797863bdb0eba6b7;p=oweals%2Fodhcp6c.git odhcp6c: fix possible stack corruption when parsing proc if_inet6 Fix buffer overflow when storing the IPv6 address in addr_buf as the trailing zero was out of bounds. Fix possible buffer overflow when storing the interface name in name as interface name can contain IF_NAMESIZE characters. Signed-off-by: Hans Dedecker --- diff --git a/src/odhcp6c.c b/src/odhcp6c.c index 2fe41e5..d8d27a7 100644 --- a/src/odhcp6c.c +++ b/src/odhcp6c.c @@ -1,5 +1,6 @@ /** * Copyright (C) 2012-2014 Steven Barth + * Copyright (C) 2017 Hans Dedecker * * This program is free software; you can redistribute it and/or modify * it under the terms of the GNU General Public License v2 as published by @@ -712,7 +713,7 @@ bool odhcp6c_addr_in_scope(const struct in6_addr *addr) struct in6_addr inet6_addr; uint32_t flags, dummy; unsigned int i; - char name[8], addr_buf[32]; + char name[IF_NAMESIZE], addr_buf[33]; len = strlen(buf); @@ -729,13 +730,13 @@ bool odhcp6c_addr_in_scope(const struct in6_addr *addr) (flags & (IFA_F_DADFAILED | IFA_F_TENTATIVE | IFA_F_DEPRECATED))) continue; - for (i = 0; i < sizeof(addr_buf); i++) { + for (i = 0; i < strlen(addr_buf); i++) { if (!isxdigit(addr_buf[i]) || isupper(addr_buf[i])) return false; } memset(&inet6_addr, 0, sizeof(inet6_addr)); - for (i = 0; i < (sizeof(addr_buf) / 2); i++) { + for (i = 0; i < (strlen(addr_buf) / 2); i++) { unsigned char byte; static const char hex[] = "0123456789abcdef"; byte = ((index(hex, addr_buf[i * 2]) - hex) << 4) |