From mboxrd@z Thu Jan  1 00:00:00 1970
Return-Path: <libc-hacker-return-9223-listarch-libc-hacker=sources.redhat.com@sourceware.org>
Received: (qmail 18852 invoked by alias); 30 Apr 2007 16:42:37 -0000
Received: (qmail 18833 invoked by uid 22791); 30 Apr 2007 16:42:37 -0000
X-Spam-Check-By: sourceware.org
Received: from sunsite.ms.mff.cuni.cz (HELO sunsite.mff.cuni.cz) (195.113.15.26)
    by sourceware.org (qpsmtpd/0.31) with ESMTP; Mon, 30 Apr 2007 17:42:32 +0100
Received: from sunsite.mff.cuni.cz (localhost.localdomain [127.0.0.1])
	by sunsite.mff.cuni.cz (8.13.8/8.13.8) with ESMTP id l3UGoDYv030989;
	Mon, 30 Apr 2007 18:50:13 +0200
Received: (from jakub@localhost)
	by sunsite.mff.cuni.cz (8.13.8/8.13.8/Submit) id l3UGoDMI030987;
	Mon, 30 Apr 2007 18:50:13 +0200
Date: Mon, 30 Apr 2007 16:42:00 -0000
From: Jakub Jelinek <jakub@redhat.com>
To: Ulrich Drepper <drepper@redhat.com>
Cc: Glibc hackers <libc-hacker@sources.redhat.com>
Subject: [PATCH] Fix inet_ntop
Message-ID: <20070430165012.GQ1826@sunsite.mff.cuni.cz>
Reply-To: Jakub Jelinek <jakub@redhat.com>
Mime-Version: 1.0
Content-Type: text/plain; charset=us-ascii
Content-Disposition: inline
User-Agent: Mutt/1.4.2.2i
Mailing-List: contact libc-hacker-help@sourceware.org; run by ezmlm
Precedence: bulk
List-Id: <libc-hacker.sourceware.org>
List-Subscribe: <mailto:libc-hacker-subscribe@sourceware.org>
List-Archive: <http://sourceware.org/ml/libc-hacker/>
List-Post: <mailto:libc-hacker@sourceware.org>
List-Help: <mailto:libc-hacker-help@sourceware.org>, <http://sourceware.org/ml/#faqs>
Sender: libc-hacker-owner@sourceware.org
X-SW-Source: 2007-04/txt/msg00012.txt.bz2

Hi!

The size check doesn't take into account the trailing '\0'.

2007-04-30  Jakub Jelinek  <jakub@redhat.com>

	[BZ #4439]
	* resolv/inet_ntop.c (inet_ntop4): Take terminating '\0' into
	account in the size check.
	* resolv/tst-inet_ntop.c: New test.

--- libc/resolv/inet_ntop.c.jj	2002-08-03 14:08:47.000000000 +0200
+++ libc/resolv/inet_ntop.c	2007-04-30 18:02:12.000000000 +0200
@@ -96,7 +96,7 @@ inet_ntop4(src, dst, size)
 	static const char fmt[] = "%u.%u.%u.%u";
 	char tmp[sizeof "255.255.255.255"];
 
-	if (SPRINTF((tmp, fmt, src[0], src[1], src[2], src[3])) > size) {
+	if (SPRINTF((tmp, fmt, src[0], src[1], src[2], src[3])) >= size) {
 		__set_errno (ENOSPC);
 		return (NULL);
 	}
--- libc/resolv/tst-inet_ntop.c.jj	2007-04-30 18:36:40.000000000 +0200
+++ libc/resolv/tst-inet_ntop.c	2007-04-30 18:35:09.000000000 +0200
@@ -0,0 +1,111 @@
+#include <arpa/inet.h>
+#include <errno.h>
+#include <netinet/in.h>
+#include <stdio.h>
+#include <string.h>
+
+int
+main (void)
+{
+  struct in_addr addr4;
+  struct in6_addr addr6;
+  char buf[64];
+  int result = 0;
+
+  addr4.s_addr = 0xe0e0e0e0;
+  addr6.s6_addr16[0] = 0;
+  addr6.s6_addr16[1] = 0;
+  addr6.s6_addr16[2] = 0;
+  addr6.s6_addr16[3] = 0;
+  addr6.s6_addr16[4] = 0;
+  addr6.s6_addr16[5] = 0xffff;
+  addr6.s6_addr32[3] = 0xe0e0e0e0;
+  memset (buf, 'x', sizeof buf);
+
+  if (inet_ntop (AF_INET, &addr4, buf, 15) != NULL)
+    {
+      puts ("1st inet_ntop returned non-NULL");
+      result++;
+    }
+  else if (errno != ENOSPC)
+    {
+      puts ("1st inet_ntop didn't fail with ENOSPC");
+      result++;
+    }
+  if (buf[15] != 'x')
+    {
+      puts ("1st inet_ntop wrote past the end of buffer");
+      result++;
+    }
+
+  if (inet_ntop (AF_INET, &addr4, buf, 16) != buf)
+    {
+      puts ("2nd inet_ntop did not return buf");
+      result++;
+    }
+  if (memcmp (buf, "224.224.224.224\0" "xxxxxxxx", 24) != 0)
+    {
+      puts ("2nd inet_ntop wrote past the end of buffer");
+      result++;
+    }
+
+  if (inet_ntop (AF_INET6, &addr6, buf, 22) != NULL)
+    {
+      puts ("3rd inet_ntop returned non-NULL");
+      result++;
+    }
+  else if (errno != ENOSPC)
+    {
+      puts ("3rd inet_ntop didn't fail with ENOSPC");
+      result++;
+    }
+  if (buf[22] != 'x')
+    {
+      puts ("3rd inet_ntop wrote past the end of buffer");
+      result++;
+    }
+
+  if (inet_ntop (AF_INET6, &addr6, buf, 23) != buf)
+    {
+      puts ("4th inet_ntop did not return buf");
+      result++;
+    }
+  if (memcmp (buf, "::ffff:224.224.224.224\0" "xxxxxxxx", 31) != 0)
+    {
+      puts ("4th inet_ntop wrote past the end of buffer");
+      result++;
+    }
+
+  memset (&addr6.s6_addr, 0xe0, sizeof (addr6.s6_addr));
+
+  if (inet_ntop (AF_INET6, &addr6, buf, 39) != NULL)
+    {
+      puts ("5th inet_ntop returned non-NULL");
+      result++;
+    }
+  else if (errno != ENOSPC)
+    {
+      puts ("5th inet_ntop didn't fail with ENOSPC");
+      result++;
+    }
+  if (buf[39] != 'x')
+    {
+      puts ("5th inet_ntop wrote past the end of buffer");
+      result++;
+    }
+
+  if (inet_ntop (AF_INET6, &addr6, buf, 40) != buf)
+    {
+      puts ("6th inet_ntop did not return buf");
+      result++;
+    }
+  if (memcmp (buf, "e0e0:e0e0:e0e0:e0e0:e0e0:e0e0:e0e0:e0e0\0"
+		   "xxxxxxxx", 48) != 0)
+    {
+      puts ("6th inet_ntop wrote past the end of buffer");
+      result++;
+    }
+
+  
+  return result;
+}
--- libc/resolv/Makefile.jj	2004-08-15 22:21:59.000000000 +0200
+++ libc/resolv/Makefile	2007-04-30 18:39:23.000000000 +0200
@@ -1,4 +1,4 @@
-# Copyright (C) 1994,1995,1996,1997,1998,1999,2000,2001,2003,2004
+# Copyright (C) 1994,1995,1996,1997,1998,1999,2000,2001,2003,2004,2007
 #	Free Software Foundation, Inc.
 # This file is part of the GNU C Library.
 
@@ -32,7 +32,7 @@ distribute := ../conf/portability.h mapv
 routines := herror inet_addr inet_ntop inet_pton nsap_addr res_init \
 	    res_hconf res_libc res-state
 
-tests = tst-aton tst-leaks
+tests = tst-aton tst-leaks tst-inet_ntop
 xtests = tst-leaks2
 
 generate := mtrace-tst-leaks tst-leaks.mtrace tst-leaks2.mtrace

	Jakub