Attachment #36388 for bug #58633

Lines 203-230 Link Here

(-)net-tools-1.60.orig/lib/interface.c (-8 / +20 lines)
203		203
204	static char get_name(char name, char *p)	204	static char get_name(char name, char *p)
205	{	205	{
		206	int nameidx=0;
206	while (isspace(*p))	207	while (isspace(*p))
207	p++;	208	p++;
208	while (*p) {	209	/* Guard main loop - shouldn't ever be a problem, unless the kernel
		210	puts invalid data in the network device listing. IFNAMSIZ-1 is
		211	necessary as a terminator is written at the end of the loop */
		212	while (*p && (nameidx<(IFNAMSIZ-1))) {
209	if (isspace(*p))	213	if (isspace(*p))
210	break;	214	break;
211	if (p == ':') { / could be an alias */	215	if (p == ':') { / could be an alias */
212	char dot = p, dotname = name;	216	char *dot = p;
213	name++ = p++;	217	int dotnameidx = nameidx;
214	while (isdigit(*p))	218	name[nameidx++] = *p++;
215	name++ = p++;	219	/* Guard alias scanning - when bytes field is large
		220	enough it attaches to the : of the interface name,
		221	and this scan therefore tries to parse it - without the
		222	guard it is possible to overrun the name[] buffer. Limit
		223	is IFNAMSIZ-2 to allow space for the ':' written after
		224	this "while", and the terminator written after the
		225	enclosing "if". */
		226	while (isdigit(*p) && (nameidx<(IFNAMSIZ-2)))
		227	name[nameidx++] = *p++;
216	if (p != ':') { / it wasn't, backup */	228	if (p != ':') { / it wasn't, backup */
217	p = dot;	229	p = dot;
218	name = dotname;	230	nameidx = dotnameidx;
219	}	231	}
220	if (*p == '\0')	232	if (*p == '\0')
221	return NULL;	233	return NULL;
222	p++;	234	p++;
223	break;	235	break;
224	}	236	}
225	name++ = p++;	237	name[nameidx++] = *p++;
226	}	238	}
227	*name++ = '\0';	239	name[nameidx] = '\0';
228	return p;	240	return p;
229	}	241	}
230		242

Return to bug 58633