This is the mail archive of the
glibc-bugs@sourceware.org
mailing list for the glibc project.
[Bug network/22463] New: p_secstodate overflow handling
- From: "jsm28 at gcc dot gnu.org" <sourceware-bugzilla at sourceware dot org>
- To: glibc-bugs at sourceware dot org
- Date: Mon, 20 Nov 2017 19:00:45 +0000
- Subject: [Bug network/22463] New: p_secstodate overflow handling
- Auto-submitted: auto-generated
https://sourceware.org/bugzilla/show_bug.cgi?id=22463
Bug ID: 22463
Summary: p_secstodate overflow handling
Product: glibc
Version: 2.26
Status: NEW
Severity: normal
Priority: P2
Component: network
Assignee: unassigned at sourceware dot org
Reporter: jsm28 at gcc dot gnu.org
Target Milestone: ---
The resolv/res_debug.c function p_secstodate does:
struct tm timebuf;
time = __gmtime_r(&clock, &timebuf);
time->tm_year += 1900;
time->tm_mon += 1;
sprintf(output, "%04d%02d%02d%02d%02d%02d",
time->tm_year, time->tm_mon, time->tm_mday,
time->tm_hour, time->tm_min, time->tm_sec);
If __gmtime_r returns NULL (because the year overflows the range of int), this
will dereference a null pointer. Otherwise, if the computed year does not fit
in four characters, this will cause a buffer overrun of the fixed-size 15-byte
buffer. With current GCC mainline, there is a compilation failure (the
estimate of possible output size is excessive because GCC doesn't know the
range limits on most of the fields - putting checks on the ranges that call
__builtin_unreachable or abort on failure would probably suffice to tell GCC
the possible size of output for fields other than tm_year - but for tm_year
there is a genuine buffer overrun bug if called for times that involve large
years):
res_debug.c:1069:23: error: '%02d' directive writing between 2 and 11 bytes
into a region of size between 4 and 11 [-Werror=format-overflow=]
sprintf(output, "%04d%02d%02d%02d%02d%02d",
^~~~
res_debug.c:1069:18: note: directive argument in the range [-2147483647,
2147483647]
sprintf(output, "%04d%02d%02d%02d%02d%02d",
^~~~~~~~~~~~~~~~~~~~~~~~~~
res_debug.c:1069:2: note: 'sprintf' output between 15 and 67 bytes into a
destination of size 15
sprintf(output, "%04d%02d%02d%02d%02d%02d",
^~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
time->tm_year, time->tm_mon, time->tm_mday,
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
time->tm_hour, time->tm_min, time->tm_sec);
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
--
You are receiving this mail because:
You are on the CC list for the bug.