Date: Tue, 18 Dec 2007 12:00:38 +0300 From: "Yuriy Tsibizov" <Yuriy.Tsibizov@gfk.com> To: "David Schultz" <das@FreeBSD.ORG> Cc: freebsd-current@FreeBSD.ORG Subject: RE: story about lost %ebx (stack corruption in inet_aton ?) Message-ID: <78664C02FF341B4FAC63E561846E3BCC0EEA58@ex.hhp.local> In-Reply-To: <20071218085316.GB24316@VARK.MIT.EDU> References: <78664C02FF341B4FAC63E561846E3BCC0EEA52@ex.hhp.local> <78664C02FF341B4FAC63E561846E3BCC0EEA56@ex.hhp.local> <20071218085316.GB24316@VARK.MIT.EDU>
next in thread | previous in thread | raw e-mail | index | archive | help
=20
> -----Original Message-----
> From: David Schultz [mailto:das@FreeBSD.ORG]=20
> Sent: Tuesday, December 18, 2007 11:53 AM
> To: Yuriy Tsibizov
> Cc: freebsd-current@FreeBSD.ORG
> Subject: Re: story about lost %ebx (stack corruption in inet_aton ?)
>=20
> On Tue, Dec 18, 2007, Yuriy Tsibizov wrote:
> > > My first impression was that there is a bug in gcc=20
> compiler on 7-BETA
> > > and 8-CURRENT (i386 only, and only if optimization is=20
> enabled), but it
> > > seems to be incorrect. Most probably source is stack corruption in
> > > inet_aton()
> >=20
> > mistyped, it is inet_network() that fails...
> >=20
> > testcase:
> >=20
> > #include <sys/cdefs.h>
> > #include <sys/types.h>
> > #include <netinet/in.h>
> > #include <arpa/inet.h>
> > #include <ctype.h>
> >=20
> > int main(){
> > int val;
> > char s[]=3D"10.10.0.10.0/12"; // four dots here!
> > char *q;
> >=20
> > q =3D strchr(s,'/');
> > if (q) {
> > *q =3D '\0';
> > if ((val =3D inet_network(s)) !=3D INADDR_NONE) {
> > printf("OK\n");
> > return (0);
> > }
> > printf("q=3D %08x\n", q);
> > *q =3D '/';
> > }
> > }
> >=20
> >=20
> > (should be built with -O1 or -O2 to expose that bug)
>=20
> This isn't the compiler's fault. It looks like an off-by-one error
> in BIND 9.4.1 that's clobbering the saved %ebx on the stack.
> Try this:
>=20
> Index: lib/libc/inet/inet_network.c
> =
=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=
=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=
=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D
> RCS file: /usr/cvs/src/lib/libc/inet/inet_network.c,v
> retrieving revision 1.4
> diff -u -r1.4 inet_network.c
> --- lib/libc/inet/inet_network.c 3 Jun 2007 17:20:26=20
> -0000 1.4
> +++ lib/libc/inet/inet_network.c 18 Dec 2007 08:50:08 -0000
> @@ -83,7 +83,7 @@
> if (!digit)
> return (INADDR_NONE);
> if (*cp =3D=3D '.') {
> - if (pp >=3D parts + 4 || val > 0xffU)
> + if (pp >=3D parts + 3 || val > 0xffU)
> return (INADDR_NONE);
> *pp++ =3D val, cp++;
> goto again;
>=20
should it be=20
---------
--- inet_network.c.orig 2007-06-03 21:20:26.000000000 +0400
+++ inet_network.c 2007-12-18 11:11:33.000000000 +0300
@@ -53,7 +53,7 @@
{
in_addr_t val, base, n;
char c;
- in_addr_t parts[4], *pp =3D parts;
+ in_addr_t parts[5], *pp =3D parts;
int i, digit;
=20
again:
-----------
because later
"
n =3D pp - parts;
if (n > 4U)
return (INADDR_NONE);
"
Yuriy.
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?78664C02FF341B4FAC63E561846E3BCC0EEA58>