[email protected] wrote: >>> What is the code doing? >>> >>> 79 if ((dot = strrchr(addr, '.')) == 0) { >>> 80 return (0); >>> 81 } else { >>> 82 char *p = dot - 1; >>> 83 size_t l = 0; >>> 84 while (*p != '.') { >>> 85 p--; >>> 86 l++; >>> 87 } >>> 88 p++; >>> 89 >>> 90 bzero(port_str, addr_len); >>> 91 (void) strncpy(port_str, p, l); >>> 92 port = atol(port_str) << 8; >>> 93 >>> 94 (void) strlcpy(port_str, dot + 1, addr_len); >>> 95 port = port | atol(port_str); >>> 96 } >>> 97 >>> 98 return (port); >>> >>> And are we sure that the code is only called with an address with 2 dots? >>> >>> I agree that strtol is probably the best function to use here. >>> >>> >>> p = addr + strlen(addr); >>> >>> dots = 0; >>> >>> while (p-- > addr) >>> if (*p == '.' && ++dots == 2) >>> break; >>> >>> if (dots != 2) >>> return (0); >>> p++; >>> port = strtoul(p, &q, 10) << 8; >>> if (q == p || q != '.') >>> return (0); >>> port |= strtoul(q + 1, NULL, 10); >>> return (port); >>> >>> >> It is looking for something like: >> 10.1.1.1.10.20 >> >> To mean that IP#10.1.1.1 is using port 2580 >> >> But it is also trying to pick ports off the end of >> an IPv6 address too...ie >> fe80:1:2:3:4:5:6:7.10.20 >> > > > But it fails horribly when it's given: > > "<--there might be a second dot left of this arrow." > > Then you copy a large piece of memory into port_str. > Casper,
We're handling universal addresses from rpcbind(3NSL) so the address should have correct format. However, I agree with and Dave that we should better handle malformed input. I've made the change to make sure that we don't walk past the input address. Thanks, tony _______________________________________________ networking-discuss mailing list [email protected]
