Fix overlapping buffers passed to strncpy which is UB. format_host_rta_r writes to the buffer passed to it, so hostname (derived from b1) & b1 partly overlap. This gets worse with sys-libs/glibc-2.37 where the ip route output can be truncated, but it was UB anyway and you can see it occurring w/ glibc-2.36. Bug: https://lore.kernel.org/netdev/0011AC38-4823-4D0A-8580-B108D08959C2@gentoo.org/T/#u Bug: https://sourceware.org/bugzilla/show_bug.cgi?id=30112 Thanks-to: Doug Freed Signed-off-by: Sam James --- ip/iproute.c | 5 +++-- 1 file changed, 3 insertions(+), 2 deletions(-) diff --git a/ip/iproute.c b/ip/iproute.c index 0bab0fdf..a7cd9543 100644 --- a/ip/iproute.c +++ b/ip/iproute.c @@ -748,6 +748,7 @@ int print_route(struct nlmsghdr *n, void *arg) int ret; SPRINT_BUF(b1); + SPRINT_BUF(b2); if (n->nlmsg_type != RTM_NEWROUTE && n->nlmsg_type != RTM_DELROUTE) { fprintf(stderr, "Not a route: %08x %08x %08x\n", @@ -809,7 +810,7 @@ int print_route(struct nlmsghdr *n, void *arg) r->rtm_dst_len); } else { const char *hostname = format_host_rta_r(family, tb[RTA_DST], - b1, sizeof(b1)); + b2, sizeof(b2)); if (hostname) strncpy(b1, hostname, sizeof(b1) - 1); } @@ -832,7 +833,7 @@ int print_route(struct nlmsghdr *n, void *arg) r->rtm_src_len); } else { const char *hostname = format_host_rta_r(family, tb[RTA_SRC], - b1, sizeof(b1)); + b2, sizeof(b2)); if (hostname) strncpy(b1, hostname, sizeof(b1) - 1); } -- 2.39.1