From: Jakub Jelinek <jakub@redhat.com>
To: Ulrich Drepper <drepper@redhat.com>
Cc: Glibc hackers <libc-hacker@sources.redhat.com>
Subject: [PATCH] Fix inet_ntop
Date: Mon, 30 Apr 2007 16:42:00 -0000 [thread overview]
Message-ID: <20070430165012.GQ1826@sunsite.mff.cuni.cz> (raw)
Hi!
The size check doesn't take into account the trailing '\0'.
2007-04-30 Jakub Jelinek <jakub@redhat.com>
[BZ #4439]
* resolv/inet_ntop.c (inet_ntop4): Take terminating '\0' into
account in the size check.
* resolv/tst-inet_ntop.c: New test.
--- libc/resolv/inet_ntop.c.jj 2002-08-03 14:08:47.000000000 +0200
+++ libc/resolv/inet_ntop.c 2007-04-30 18:02:12.000000000 +0200
@@ -96,7 +96,7 @@ inet_ntop4(src, dst, size)
static const char fmt[] = "%u.%u.%u.%u";
char tmp[sizeof "255.255.255.255"];
- if (SPRINTF((tmp, fmt, src[0], src[1], src[2], src[3])) > size) {
+ if (SPRINTF((tmp, fmt, src[0], src[1], src[2], src[3])) >= size) {
__set_errno (ENOSPC);
return (NULL);
}
--- libc/resolv/tst-inet_ntop.c.jj 2007-04-30 18:36:40.000000000 +0200
+++ libc/resolv/tst-inet_ntop.c 2007-04-30 18:35:09.000000000 +0200
@@ -0,0 +1,111 @@
+#include <arpa/inet.h>
+#include <errno.h>
+#include <netinet/in.h>
+#include <stdio.h>
+#include <string.h>
+
+int
+main (void)
+{
+ struct in_addr addr4;
+ struct in6_addr addr6;
+ char buf[64];
+ int result = 0;
+
+ addr4.s_addr = 0xe0e0e0e0;
+ addr6.s6_addr16[0] = 0;
+ addr6.s6_addr16[1] = 0;
+ addr6.s6_addr16[2] = 0;
+ addr6.s6_addr16[3] = 0;
+ addr6.s6_addr16[4] = 0;
+ addr6.s6_addr16[5] = 0xffff;
+ addr6.s6_addr32[3] = 0xe0e0e0e0;
+ memset (buf, 'x', sizeof buf);
+
+ if (inet_ntop (AF_INET, &addr4, buf, 15) != NULL)
+ {
+ puts ("1st inet_ntop returned non-NULL");
+ result++;
+ }
+ else if (errno != ENOSPC)
+ {
+ puts ("1st inet_ntop didn't fail with ENOSPC");
+ result++;
+ }
+ if (buf[15] != 'x')
+ {
+ puts ("1st inet_ntop wrote past the end of buffer");
+ result++;
+ }
+
+ if (inet_ntop (AF_INET, &addr4, buf, 16) != buf)
+ {
+ puts ("2nd inet_ntop did not return buf");
+ result++;
+ }
+ if (memcmp (buf, "224.224.224.224\0" "xxxxxxxx", 24) != 0)
+ {
+ puts ("2nd inet_ntop wrote past the end of buffer");
+ result++;
+ }
+
+ if (inet_ntop (AF_INET6, &addr6, buf, 22) != NULL)
+ {
+ puts ("3rd inet_ntop returned non-NULL");
+ result++;
+ }
+ else if (errno != ENOSPC)
+ {
+ puts ("3rd inet_ntop didn't fail with ENOSPC");
+ result++;
+ }
+ if (buf[22] != 'x')
+ {
+ puts ("3rd inet_ntop wrote past the end of buffer");
+ result++;
+ }
+
+ if (inet_ntop (AF_INET6, &addr6, buf, 23) != buf)
+ {
+ puts ("4th inet_ntop did not return buf");
+ result++;
+ }
+ if (memcmp (buf, "::ffff:224.224.224.224\0" "xxxxxxxx", 31) != 0)
+ {
+ puts ("4th inet_ntop wrote past the end of buffer");
+ result++;
+ }
+
+ memset (&addr6.s6_addr, 0xe0, sizeof (addr6.s6_addr));
+
+ if (inet_ntop (AF_INET6, &addr6, buf, 39) != NULL)
+ {
+ puts ("5th inet_ntop returned non-NULL");
+ result++;
+ }
+ else if (errno != ENOSPC)
+ {
+ puts ("5th inet_ntop didn't fail with ENOSPC");
+ result++;
+ }
+ if (buf[39] != 'x')
+ {
+ puts ("5th inet_ntop wrote past the end of buffer");
+ result++;
+ }
+
+ if (inet_ntop (AF_INET6, &addr6, buf, 40) != buf)
+ {
+ puts ("6th inet_ntop did not return buf");
+ result++;
+ }
+ if (memcmp (buf, "e0e0:e0e0:e0e0:e0e0:e0e0:e0e0:e0e0:e0e0\0"
+ "xxxxxxxx", 48) != 0)
+ {
+ puts ("6th inet_ntop wrote past the end of buffer");
+ result++;
+ }
+
+
+ return result;
+}
--- libc/resolv/Makefile.jj 2004-08-15 22:21:59.000000000 +0200
+++ libc/resolv/Makefile 2007-04-30 18:39:23.000000000 +0200
@@ -1,4 +1,4 @@
-# Copyright (C) 1994,1995,1996,1997,1998,1999,2000,2001,2003,2004
+# Copyright (C) 1994,1995,1996,1997,1998,1999,2000,2001,2003,2004,2007
# Free Software Foundation, Inc.
# This file is part of the GNU C Library.
@@ -32,7 +32,7 @@ distribute := ../conf/portability.h mapv
routines := herror inet_addr inet_ntop inet_pton nsap_addr res_init \
res_hconf res_libc res-state
-tests = tst-aton tst-leaks
+tests = tst-aton tst-leaks tst-inet_ntop
xtests = tst-leaks2
generate := mtrace-tst-leaks tst-leaks.mtrace tst-leaks2.mtrace
Jakub
reply other threads:[~2007-04-30 16:42 UTC|newest]
Thread overview: [no followups] expand[flat|nested] mbox.gz Atom feed
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=20070430165012.GQ1826@sunsite.mff.cuni.cz \
--to=jakub@redhat.com \
--cc=drepper@redhat.com \
--cc=libc-hacker@sources.redhat.com \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for read-only IMAP folder(s) and NNTP newsgroup(s).