[LARTC] buffer overflow in ip
Radek Vokál
rvokal at redhat.com
Fri Oct 7 07:31:32 CEST 2005
This patch fixes the problem
--- iproute2-ss050901/ip/iproute.c~ 2005-09-01 14:21:50.000000000 -0500
+++ iproute2-ss050901/ip/iproute.c 2005-10-06 21:30:36.000000000 -0500
@@ -216,13 +216,13 @@ int print_route(const struct sockaddr_nl
memset(&via, 0, sizeof(via));
via.family = r->rtm_family;
if (tb[RTA_GATEWAY])
- memcpy(&via.data, RTA_DATA(tb[RTA_GATEWAY]), host_len);
+ memcpy(&via.data, RTA_DATA(tb[RTA_GATEWAY]), host_len/8);
}
if (filter.rprefsrc.bitlen>0) {
memset(&prefsrc, 0, sizeof(prefsrc));
prefsrc.family = r->rtm_family;
if (tb[RTA_PREFSRC])
- memcpy(&prefsrc.data, RTA_DATA(tb[RTA_PREFSRC]), host_len);
+ memcpy(&prefsrc.data, RTA_DATA(tb[RTA_PREFSRC]), host_len/8);
}
if (filter.rdst.family && inet_addr_match(&dst, &filter.rdst, filter.rdst.bitlen))
host_len should be divided by 8, as it's units is bits, where memcpy is using
bytes units.
On Thu, 2005-10-06 at 15:37 +0200, Radek Vokál wrote:
> This comse from iproute-ss050901, rebuilt on FC4 with -fortify-source
> option. Seems like ip has a buffer overflow which sometimes causes a
> segfault..
>
> will try to look at it tmrw, so far here's my gdb output.
--
Radek Vokál <rvokal at redhat.com>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 189 bytes
Desc: This is a digitally signed message part
Url : http://mailman.ds9a.nl/pipermail/lartc/attachments/20051007/ad220697/attachment.pgp
More information about the LARTC
mailing list