This is the mail archive of the glibc-bugs@sourceware.org mailing list for the glibc project.

Index Nav:	[Date Index] [Subject Index] [Author Index] [Thread Index]
Message Nav:	[Date Prev] [Date Next]	[Thread Prev] [Thread Next]
Other format:	[Raw text]

[Bug network/22463] New: p_secstodate overflow handling

From: "jsm28 at gcc dot gnu.org" <sourceware-bugzilla at sourceware dot org>
To: glibc-bugs at sourceware dot org
Date: Mon, 20 Nov 2017 19:00:45 +0000
Subject: [Bug network/22463] New: p_secstodate overflow handling
Auto-submitted: auto-generated

https://sourceware.org/bugzilla/show_bug.cgi?id=22463

            Bug ID: 22463
           Summary: p_secstodate overflow handling
           Product: glibc
           Version: 2.26
            Status: NEW
          Severity: normal
          Priority: P2
         Component: network
          Assignee: unassigned at sourceware dot org
          Reporter: jsm28 at gcc dot gnu.org
  Target Milestone: ---

The resolv/res_debug.c function p_secstodate does:

        struct tm timebuf;
        time = __gmtime_r(&clock, &timebuf);
        time->tm_year += 1900;
        time->tm_mon += 1;
        sprintf(output, "%04d%02d%02d%02d%02d%02d",
                time->tm_year, time->tm_mon, time->tm_mday,
                time->tm_hour, time->tm_min, time->tm_sec);

If __gmtime_r returns NULL (because the year overflows the range of int), this
will dereference a null pointer.  Otherwise, if the computed year does not fit
in four characters, this will cause a buffer overrun of the fixed-size 15-byte
buffer.  With current GCC mainline, there is a compilation failure (the
estimate of possible output size is excessive because GCC doesn't know the
range limits on most of the fields - putting checks on the ranges that call
__builtin_unreachable or abort on failure would probably suffice to tell GCC
the possible size of output for fields other than tm_year - but for tm_year
there is a genuine buffer overrun bug if called for times that involve large
years):

res_debug.c:1069:23: error: '%02d' directive writing between 2 and 11 bytes
into a region of size between 4 and 11 [-Werror=format-overflow=]
  sprintf(output, "%04d%02d%02d%02d%02d%02d",
                       ^~~~
res_debug.c:1069:18: note: directive argument in the range [-2147483647,
2147483647]
  sprintf(output, "%04d%02d%02d%02d%02d%02d",
                  ^~~~~~~~~~~~~~~~~~~~~~~~~~
res_debug.c:1069:2: note: 'sprintf' output between 15 and 67 bytes into a
destination of size 15
  sprintf(output, "%04d%02d%02d%02d%02d%02d",
  ^~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
   time->tm_year, time->tm_mon, time->tm_mday,
   ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
   time->tm_hour, time->tm_min, time->tm_sec);
   ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

-- 
You are receiving this mail because:
You are on the CC list for the bug.

Follow-Ups:
- [Bug network/22463] p_secstodate overflow handling
  - From: cvs-commit at gcc dot gnu.org
- [Bug network/22463] p_secstodate overflow handling
  - From: jsm28 at gcc dot gnu.org
- [Bug network/22463] p_secstodate overflow handling
  - From: fweimer at redhat dot com

Index Nav:	[Date Index] [Subject Index] [Author Index] [Thread Index]
Message Nav:	[Date Prev] [Date Next]	[Thread Prev] [Thread Next]