This is the mail archive of the
glibc-bugs@sourceware.org
mailing list for the glibc project.
[Bug admin/7085] New: check memory space in inet6_rth_add()
- From: "shanwei at cn dot fujitsu dot com" <sourceware-bugzilla at sourceware dot org>
- To: glibc-bugs at sources dot redhat dot com
- Date: 9 Dec 2008 07:55:06 -0000
- Subject: [Bug admin/7085] New: check memory space in inet6_rth_add()
- Reply-to: sourceware-bugzilla at sourceware dot org
Add the checking for two reasons:
1)if not check, it may cause segmentation fault.
2)if not check, errorous packets will be send to the netwok,
without any compiler error.
But after adding the check, we can find the problem ASAP.
for example: (contribute a Router Header using)
inet6_rth_init(buffer, 24, 0, 0)
inet6_rth_add(buffer, IpAddr)
Signed-off-by: Shan Wei <shanwei@cn.fujitsu.com>
---
inet/inet6_rth.c | 5 +++++
1 files changed, 5 insertions(+), 0 deletions(-)
diff --git a/inet/inet6_rth.c b/inet/inet6_rth.c
index a11ba20..851f80d 100644
--- a/inet/inet6_rth.c
+++ b/inet/inet6_rth.c
@@ -91,9 +91,14 @@ inet6_rth_add (void *bp, const struct in6_addr *addr)
switch (rthdr->ip6r_type)
{
struct ip6_rthdr0 *rthdr0;
+ int total = rthdr0->ip6r0_len * 8 / sizeof (struct in6_addr);
case IPV6_RTHDR_TYPE_0:
rthdr0 = (struct ip6_rthdr0 *) rthdr;
+ /* if no space to add the IPv6 address, return -1. */
+ if (total - rthdr0->ip6r0_segleft < 1)
+ return -1;
+
memcpy (&rthdr0->ip6r0_addr[rthdr0->ip6r0_segleft++],
addr, sizeof (struct in6_addr));
--
Summary: check memory space in inet6_rth_add()
Product: glibc
Version: 2.8
Status: NEW
Severity: normal
Priority: P2
Component: admin
AssignedTo: roland at gnu dot org
ReportedBy: shanwei at cn dot fujitsu dot com
CC: glibc-bugs at sources dot redhat dot com,shanwei at cn
dot fujitsu dot com
http://sourceware.org/bugzilla/show_bug.cgi?id=7085
------- You are receiving this mail because: -------
You are on the CC list for the bug, or are watching someone who is.