This is the mail archive of the
glibc-bugs@sourceware.org
mailing list for the glibc project.
[Bug libc/9881] New: check memory space in inet6_rth_add()
- From: "yanghy at cn dot fujitsu dot com" <sourceware-bugzilla at sourceware dot org>
- To: glibc-bugs at sources dot redhat dot com
- Date: 23 Feb 2009 07:38:22 -0000
- Subject: [Bug libc/9881] New: check memory space in inet6_rth_add()
- Reply-to: sourceware-bugzilla at sourceware dot org
Add the checking for two reasons:
1)if not check, it may cause segmentation fault.
2)if not check, errorous packets will be send to the netwok,
without any compiler error.
But after adding the check, we can find the problem ASAP.
for example: (contribute a Router Header using)
inet6_rth_init(buffer, 24, 0, 0)
inet6_rth_add(buffer, IpAddr)
Signed-off-by: Yang Hongyang <yanghy@cn.fujitsu.com>
--- glibc-2.5-20061008T1257.org/inet/inet6_rth.c 2009-01-11 22:51:33.000000000 +0800
+++ glibc-2.5-20061008T1257/inet/inet6_rth.c 2009-01-11 23:19:45.000000000 +0800
@@ -87,12 +87,16 @@ int
inet6_rth_add (void *bp, const struct in6_addr *addr)
{
struct ip6_rthdr *rthdr = (struct ip6_rthdr *) bp;
+ struct ip6_rthdr0 *rthdr0;
+
+ rthdr0 = (struct ip6_rthdr0 *) rthdr;
+ if (rthdr0->ip6r0_len * 8 / sizeof (struct in6_addr) \
+ - rthdr0->ip6r0_segleft < 1)
+ return -1;
switch (rthdr->ip6r_type)
{
- struct ip6_rthdr0 *rthdr0;
case IPV6_RTHDR_TYPE_0:
- rthdr0 = (struct ip6_rthdr0 *) rthdr;
memcpy (&rthdr0->ip6r0_addr[rthdr0->ip6r0_segleft++],
addr, sizeof (struct in6_addr));
--
Summary: check memory space in inet6_rth_add()
Product: glibc
Version: unspecified
Status: NEW
Severity: normal
Priority: P2
Component: libc
AssignedTo: drepper at redhat dot com
ReportedBy: yanghy at cn dot fujitsu dot com
CC: glibc-bugs at sources dot redhat dot com,yanghy at cn
dot fujitsu dot com
http://sourceware.org/bugzilla/show_bug.cgi?id=9881
------- You are receiving this mail because: -------
You are on the CC list for the bug, or are watching someone who is.