jobcore/iproute2/fix_overlapping_buffers.patch
2023-02-15 02:35:34 +02:00

46 lines
1.5 KiB
Diff

Fix overlapping buffers passed to strncpy which is UB. format_host_rta_r writes
to the buffer passed to it, so hostname (derived from b1) & b1 partly overlap.
This gets worse with sys-libs/glibc-2.37 where the ip route output can be truncated,
but it was UB anyway and you can see it occurring w/ glibc-2.36.
Bug: https://lore.kernel.org/netdev/0011AC38-4823-4D0A-8580-B108D08959C2@gentoo.org/T/#u
Bug: https://sourceware.org/bugzilla/show_bug.cgi?id=30112
Thanks-to: Doug Freed <dwfreed@mtu.edu>
Signed-off-by: Sam James <sam@gentoo.org>
---
ip/iproute.c | 5 +++--
1 file changed, 3 insertions(+), 2 deletions(-)
diff --git a/ip/iproute.c b/ip/iproute.c
index 0bab0fdf..a7cd9543 100644
--- a/ip/iproute.c
+++ b/ip/iproute.c
@@ -748,6 +748,7 @@ int print_route(struct nlmsghdr *n, void *arg)
int ret;
SPRINT_BUF(b1);
+ SPRINT_BUF(b2);
if (n->nlmsg_type != RTM_NEWROUTE && n->nlmsg_type != RTM_DELROUTE) {
fprintf(stderr, "Not a route: %08x %08x %08x\n",
@@ -809,7 +810,7 @@ int print_route(struct nlmsghdr *n, void *arg)
r->rtm_dst_len);
} else {
const char *hostname = format_host_rta_r(family, tb[RTA_DST],
- b1, sizeof(b1));
+ b2, sizeof(b2));
if (hostname)
strncpy(b1, hostname, sizeof(b1) - 1);
}
@@ -832,7 +833,7 @@ int print_route(struct nlmsghdr *n, void *arg)
r->rtm_src_len);
} else {
const char *hostname = format_host_rta_r(family, tb[RTA_SRC],
- b1, sizeof(b1));
+ b2, sizeof(b2));
if (hostname)
strncpy(b1, hostname, sizeof(b1) - 1);
}
--
2.39.1