Date: Monday, February 13, 2023 @ 09:18:36
  Author: freswa
Revision: 468705

fix overlapping buffers leading to cut off IPv6 adresses since glibc 2.37

See 
https://lore.kernel.org/netdev/[email protected]/T/#u
Fixes FS#77451

Added:
  iproute2/trunk/fix_overlapping_buffers.patch
Modified:
  iproute2/trunk/PKGBUILD

-------------------------------+
 PKGBUILD                      |    9 ++++++-
 fix_overlapping_buffers.patch |   46 ++++++++++++++++++++++++++++++++++++++++
 2 files changed, 54 insertions(+), 1 deletion(-)

Modified: PKGBUILD
===================================================================
--- PKGBUILD    2023-02-12 21:51:53 UTC (rev 468704)
+++ PKGBUILD    2023-02-13 09:18:36 UTC (rev 468705)
@@ -4,7 +4,7 @@
 
 pkgname=iproute2
 pkgver=6.1.0
-pkgrel=4
+pkgrel=5
 pkgdesc='IP Routing Utilities'
 arch=('x86_64')
 license=('GPL2')
@@ -29,10 +29,12 @@
 validpgpkeys=('9F6FC345B05BE7E766B83C8F80A77F6095CDE47E') # Stephen Hemminger
 
source=("https://www.kernel.org/pub/linux/utils/net/${pkgname}/${pkgname}-${pkgver}.tar."{xz,sign}
         '0001-make-iproute2-fhs-compliant.patch'
+        'fix_overlapping_buffers.patch'
         'bdb5.3.patch')
 sha256sums=('5ce12a0fec6b212725ef218735941b2dab76244db7e72646a76021b0537b43ab'
             'SKIP'
             '758b82bd61ed7512d215efafd5fab5ae7a28fbfa6161b85e2ce7373285e56a5d'
+            '7d2fb8ba06f3b73a8fa3ab673b8f1ad41c0e4fd85e3c31a8d4002a1b074ec1ae'
             '908de44ee99bf78669e7c513298fc2a22ca9d7e816a8f99788b1e9b091035cf4')
 
 prepare() {
@@ -44,6 +46,11 @@
   # use Berkeley DB 5.3
   patch -Np1 -i "${srcdir}"/bdb5.3.patch
 
+  # fix overlapping buffers leading to cut off IPv6 adresses since glibc 2.37
+  # See FS#77451 and
+  # 
https://lore.kernel.org/netdev/[email protected]/T/#u
+  patch -Np1 -i "${srcdir}"/fix_overlapping_buffers.patch
+
   # do not treat warnings as errors
   sed -i 's/-Werror//' Makefile
 

Added: fix_overlapping_buffers.patch
===================================================================
--- fix_overlapping_buffers.patch                               (rev 0)
+++ fix_overlapping_buffers.patch       2023-02-13 09:18:36 UTC (rev 468705)
@@ -0,0 +1,46 @@
+Fix overlapping buffers passed to strncpy which is UB. format_host_rta_r writes
+to the buffer passed to it, so hostname (derived from b1) & b1 partly overlap.
+
+This gets worse with sys-libs/glibc-2.37 where the ip route output can be 
truncated,
+but it was UB anyway and you can see it occurring w/ glibc-2.36.
+
+Bug: 
https://lore.kernel.org/netdev/[email protected]/T/#u
+Bug: https://sourceware.org/bugzilla/show_bug.cgi?id=30112
+Thanks-to: Doug Freed <[email protected]>
+Signed-off-by: Sam James <[email protected]>
+---
+ ip/iproute.c | 5 +++--
+ 1 file changed, 3 insertions(+), 2 deletions(-)
+
+diff --git a/ip/iproute.c b/ip/iproute.c
+index 0bab0fdf..a7cd9543 100644
+--- a/ip/iproute.c
++++ b/ip/iproute.c
+@@ -748,6 +748,7 @@ int print_route(struct nlmsghdr *n, void *arg)
+       int ret;
+
+       SPRINT_BUF(b1);
++      SPRINT_BUF(b2);
+
+       if (n->nlmsg_type != RTM_NEWROUTE && n->nlmsg_type != RTM_DELROUTE) {
+               fprintf(stderr, "Not a route: %08x %08x %08x\n",
+@@ -809,7 +810,7 @@ int print_route(struct nlmsghdr *n, void *arg)
+                                r->rtm_dst_len);
+               } else {
+                       const char *hostname = format_host_rta_r(family, 
tb[RTA_DST],
+-                                        b1, sizeof(b1));
++                                        b2, sizeof(b2));
+                       if (hostname)
+                               strncpy(b1, hostname, sizeof(b1) - 1);
+               }
+@@ -832,7 +833,7 @@ int print_route(struct nlmsghdr *n, void *arg)
+                                r->rtm_src_len);
+               } else {
+                       const char *hostname = format_host_rta_r(family, 
tb[RTA_SRC],
+-                                        b1, sizeof(b1));
++                                        b2, sizeof(b2));
+                       if (hostname)
+                               strncpy(b1, hostname, sizeof(b1) - 1);
+               }
+--
+2.39.1

Reply via email to