Re: [bug-inetutils] Ifconfig broken on GNU/Linux arch x86_64.

Wed, 22 Sep 2010 15:57:13 -0700 

onsdag den 22 september 2010 klockan 18:47 skrev Mats Erik Andersson detta:
> Hello,
> 
> the code in
> 
>    ifconfig/system/linux.c
> 
> is broken on my Debian Squeeze amd64 machine. I am starting from
> a fresh git checkout for x86 and x86_64, but the latter fails in
> execution.
> 
> The function linux_if_nameindex() is clearly broken on x86_64.
> It is used as
> 
>      ### End of ifconfig/system/linux.c
> 
>      system_if_nameindex = linux_if_nameindex
> 
> It is broken in the sense that every structure element "if_name"
> is the empty string. The number of entries returned is correct,

I am not yet certain that I have found the fault, but I have certainly
found a case of buffer overrun in said function. It is easy to construct
unusual strings -- not expected in /proc/net/dev though -- that would brake
the code as it was until now.


Mats E A



=========================================================================
From 56dd929ce4ab78872d93159bc200e46f30b0acdf Mon Sep 17 00:00:00 2001
From: Mats Erik Andersson <g...@gisladisker.se>
Date: Thu, 23 Sep 2010 00:45:25 +0200
Subject: [PATCH] ifconfig/system/linux.c: Recalculate a search range.

---
 ChangeLog               |    5 +++++
 ifconfig/system/linux.c |    2 +-
 2 files changed, 6 insertions(+), 1 deletions(-)

diff --git a/ChangeLog b/ChangeLog
index 1ff6282..cba4d58 100644
--- a/ChangeLog
+++ b/ChangeLog
@@ -1,3 +1,8 @@
+2010-09-23  Mats Erik Andersson <g...@gisladisker.se>
+
+       * ifconfig/system/linux.c (linux_if_nameindex): Express the exact
+       amount remaining of the string when locating next token.
+
 2010-09-15  Mats Erik Andersson <g...@gisladisker.se>
 
        * telnetd/telnetd.c (login_invocation, argp_options):
diff --git a/ifconfig/system/linux.c b/ifconfig/system/linux.c
index 0f4e579..808d252 100644
--- a/ifconfig/system/linux.c
+++ b/ifconfig/system/linux.c
@@ -886,7 +886,7 @@ linux_if_nameindex (void)
   }
 
   for (it = memchr (content, ':', length), index = 0; it;
-       it = memchr (it, ':', it - content), index++)
+       it = memchr (it, ':', length - (it - content)), index++)
     {
       char *start = it - 1;
       *it = '\0';
-- 
1.7.1

Attachment: signature.asc
Description: Digital signature

Reply via email to