Skip site navigation (1)Skip section navigation (2) 
Date:      Sat,  3 Aug 2002 19:02:55 +0200 (CEST)
From:      Stefan Farfeleder <e0026813@stud3.tuwien.ac.at>
To:        FreeBSD-gnats-submit@FreeBSD.org
Subject:   misc/41289: inet_ntop(3) buffer overflow
Message-ID:  <20020803170255.0FE86281@frog.fafoe>
next in thread | raw e-mail | index | archive | help 


>Number:         41289
>Category:       misc
>Synopsis:       inet_ntop(3) buffer overflow
>Confidential:   no
>Severity:       serious
>Priority:       medium
>Responsible:    freebsd-bugs
>State:          open
>Quarter:        
>Keywords:       
>Date-Required:
>Class:          sw-bug
>Submitter-Id:   current-users
>Arrival-Date:   Sat Aug 03 10:00:11 PDT 2002
>Closed-Date:
>Last-Modified:
>Originator:     Stefan Farfeleder
>Release:        FreeBSD 4.6-STABLE i386
>Organization:
>Environment:
System: FreeBSD frog.fafoe 4.6-STABLE FreeBSD 4.6-STABLE #0: Fri Aug 2 01:04:34 CEST 2002 freebsd@frog.fafoe:/freebsd/stable/obj/freebsd/stable/src/sys/FROG i386


	
>Description:
inet_ntop4()'s check for ENOSPC is wrong. sprintf() doesn't include the
terminating '\0' in its return value. inet_ntop6() seems safe.
>How-To-Repeat:

Script started on Sat Aug  3 18:57:36 2002
stefan@frog:~ 501 (0)$ cat pr.c
#include <sys/types.h>
#include <sys/socket.h>
#include <netinet/in.h>
#include <arpa/inet.h>
#include <stdio.h>

int
main(void)
{
    char buf[8];
    u_int32_t i = inet_addr("1.2.3.4");

    buf[7] = 1;
    inet_ntop(AF_INET, &i, buf, 7);
    if (buf[7] != 1) printf("buf[7] overwritten!\n");

    return 0;
}
stefan@frog:~ 502 (0)$ c89 pr.c
stefan@frog:~ 503 (0)$ ./a.out
buf[7] overwritten!
stefan@frog:~ 504 (0)$ exit

Script done on Sat Aug  3 18:57:52 2002
>Fix:

--- inet_ntop.c.orig	Sat Aug  3 18:14:52 2002
+++ inet_ntop.c	Sat Aug  3 18:41:33 2002
@@ -85,7 +85,7 @@
 	static const char fmt[] = "%u.%u.%u.%u";
 	char tmp[sizeof "255.255.255.255"];
 
-	if (SPRINTF((tmp, fmt, src[0], src[1], src[2], src[3])) > size) {
+	if (SPRINTF((tmp, fmt, src[0], src[1], src[2], src[3])) >= size) {
 		errno = ENOSPC;
 		return (NULL);
 	}
>Release-Note:
>Audit-Trail:
>Unformatted:

To Unsubscribe: send mail to majordomo@FreeBSD.org
with "unsubscribe freebsd-bugs" in the body of the message

Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?20020803170255.0FE86281>