From patchwork Thu Jun  5 15:48:34 2014
Content-Type: text/plain; charset="utf-8"
MIME-Version: 1.0
Content-Transfer-Encoding: 7bit
X-Patchwork-Submitter: Andreas Schwab <schwab@suse.de>
X-Patchwork-Id: 1339
Received: (qmail 31224 invoked by alias); 5 Jun 2014 15:48:39 -0000
Mailing-List: contact libc-alpha-help@sourceware.org; run by ezmlm
Precedence: bulk
List-Id: <libc-alpha.sourceware.org>
List-Unsubscribe: <mailto:libc-alpha-unsubscribe-##L=##H@sourceware.org>
List-Subscribe: <mailto:libc-alpha-subscribe@sourceware.org>
List-Archive: <http://sourceware.org/ml/libc-alpha/>
List-Post: <mailto:libc-alpha@sourceware.org>
List-Help: <mailto:libc-alpha-help@sourceware.org>,
	<http://sourceware.org/ml/#faqs>
Sender: libc-alpha-owner@sourceware.org
Delivered-To: mailing list libc-alpha@sourceware.org
Received: (qmail 31098 invoked by uid 89); 5 Jun 2014 15:48:38 -0000
Authentication-Results: sourceware.org; auth=none
X-Virus-Found: No
X-Spam-SWARE-Status: No, score=-3.2 required=5.0 tests=AWL, BAYES_00,
	RP_MATCHES_RCVD autolearn=ham version=3.3.2
X-HELO: mx2.suse.de
From: Andreas Schwab <schwab@suse.de>
To: libc-alpha@sourceware.org
Subject: [PATCH] Avoid array overrun in getifaddrs
X-Yow: I'm using my X-RAY VISION to obtain a rare glimpse of the
	INNER WORKINGS of this POTATO!!
Date: Thu, 05 Jun 2014 17:48:34 +0200
Message-ID: <mvm8upbbbn1.fsf@hawking.suse.de>
User-Agent: Gnus/5.13 (Gnus v5.13) Emacs/24.3 (gnu/linux)
MIME-Version: 1.0

[BZ #15698]
	* sysdeps/unix/sysv/linux/ifaddrs.c (getifaddrs_internal): Avoid
	writing beyond end of netmask.  Remove redundant check for
	positive max_prefixlen.  Store netmask via unsigned char.
---
 sysdeps/unix/sysv/linux/ifaddrs.c | 14 +++++++-------
 1 file changed, 7 insertions(+), 7 deletions(-)

diff --git a/sysdeps/unix/sysv/linux/ifaddrs.c b/sysdeps/unix/sysv/linux/ifaddrs.c
index d83e8f8..7022888 100644
--- a/sysdeps/unix/sysv/linux/ifaddrs.c
+++ b/sysdeps/unix/sysv/linux/ifaddrs.c
@@ -748,7 +748,7 @@ getifaddrs_internal (struct ifaddrs **ifap)
 		  && ifas[ifa_index].ifa.ifa_addr->sa_family != AF_PACKET)
 		{
 		  uint32_t max_prefixlen = 0;
-		  char *cp = NULL;
+		  unsigned char *cp = NULL;
 
 		  ifas[ifa_index].ifa.ifa_netmask
 		    = &ifas[ifa_index].netmask.sa;
@@ -756,12 +756,12 @@ getifaddrs_internal (struct ifaddrs **ifap)
 		  switch (ifas[ifa_index].ifa.ifa_addr->sa_family)
 		    {
 		    case AF_INET:
-		      cp = (char *) &ifas[ifa_index].netmask.s4.sin_addr;
+		      cp = (unsigned char *) &ifas[ifa_index].netmask.s4.sin_addr;
 		      max_prefixlen = 32;
 		      break;
 
 		    case AF_INET6:
-		      cp = (char *) &ifas[ifa_index].netmask.s6.sin6_addr;
+		      cp = (unsigned char *) &ifas[ifa_index].netmask.s6.sin6_addr;
 		      max_prefixlen = 128;
 		      break;
 		    }
@@ -771,11 +771,10 @@ getifaddrs_internal (struct ifaddrs **ifap)
 
 		  if (cp != NULL)
 		    {
-		      char c;
+		      unsigned char c;
 		      unsigned int preflen;
 
-		      if ((max_prefixlen > 0) &&
-			  (ifam->ifa_prefixlen > max_prefixlen))
+		      if (ifam->ifa_prefixlen > max_prefixlen)
 			preflen = max_prefixlen;
 		      else
 			preflen = ifam->ifa_prefixlen;
@@ -784,7 +783,8 @@ getifaddrs_internal (struct ifaddrs **ifap)
 			*cp++ = 0xff;
 		      c = 0xff;
 		      c <<= (8 - (preflen % 8));
-		      *cp = c;
+		      if (c != 0)
+			*cp = c;
 		    }
 		}
 	    }