Go to:
Gentoo Home
Documentation
Forums
Lists
Bugs
Planet
Store
Wiki
Get Gentoo!
Gentoo's Bugzilla – Attachment 36388 Details for
Bug 58633
"Stack smashing attack in if_readlist_proc()" from ifconfig
Home
|
New
–
[Ex]
|
Browse
|
Search
|
Privacy Policy
|
[?]
|
Reports
|
Requests
|
Help
|
New Account
|
Log In
[x]
|
Forgot Password
Login:
[x]
[patch]
Patch as per my comment 9
net-tools-1.60-bug58633.patch (text/plain), 1.62 KB, created by
Kevin F. Quinn (RETIRED)
on 2004-07-29 01:39:45 UTC
(
hide
)
Description:
Patch as per my comment 9
Filename:
MIME Type:
Creator:
Kevin F. Quinn (RETIRED)
Created:
2004-07-29 01:39:45 UTC
Size:
1.62 KB
patch
obsolete
>diff -ur net-tools-1.60.orig/lib/interface.c net-tools-1.60/lib/interface.c >--- net-tools-1.60.orig/lib/interface.c 2004-07-28 16:25:38.000000000 +0200 >+++ net-tools-1.60/lib/interface.c 2004-07-29 10:40:09.522762528 +0200 >@@ -203,28 +203,40 @@ > > static char *get_name(char *name, char *p) > { >+ int nameidx=0; > while (isspace(*p)) > p++; >- while (*p) { >+ /* Guard main loop - shouldn't ever be a problem, unless the kernel >+ puts invalid data in the network device listing. IFNAMSIZ-1 is >+ necessary as a terminator is written at the end of the loop */ >+ while (*p && (nameidx<(IFNAMSIZ-1))) { > if (isspace(*p)) > break; > if (*p == ':') { /* could be an alias */ >- char *dot = p, *dotname = name; >- *name++ = *p++; >- while (isdigit(*p)) >- *name++ = *p++; >+ char *dot = p; >+ int dotnameidx = nameidx; >+ name[nameidx++] = *p++; >+ /* Guard alias scanning - when bytes field is large >+ enough it attaches to the : of the interface name, >+ and this scan therefore tries to parse it - without the >+ guard it is possible to overrun the name[] buffer. Limit >+ is IFNAMSIZ-2 to allow space for the ':' written after >+ this "while", and the terminator written after the >+ enclosing "if". */ >+ while (isdigit(*p) && (nameidx<(IFNAMSIZ-2))) >+ name[nameidx++] = *p++; > if (*p != ':') { /* it wasn't, backup */ > p = dot; >- name = dotname; >+ nameidx = dotnameidx; > } > if (*p == '\0') > return NULL; > p++; > break; > } >- *name++ = *p++; >+ name[nameidx++] = *p++; > } >- *name++ = '\0'; >+ name[nameidx] = '\0'; > return p; > } >
<b>You cannot view the attachment while viewing its details because your browser does not support IFRAMEs. <a href="attachment.cgi?id=36388">View the attachment on a separate page</a>.</b>
View Attachment As Diff
View Attachment As Raw
Actions:
View
|
Diff
Attachments on
bug 58633
:
36375
|
36376
|
36377
|
36378
|
36388
|
36449
|
36457
|
37588
