diff options
author | Sam James <sam@gentoo.org> | 2023-02-13 03:26:31 +0000 |
---|---|---|
committer | Stephen Hemminger <stephen@networkplumber.org> | 2023-02-17 17:36:20 -0800 |
commit | 890c599ec2e8905e7b8a433be3646d5d34901810 (patch) | |
tree | a55a92d4fdf9907e433f5806e7a99d4e871cc803 /ip | |
parent | adae3cef283423bff69a89a5055387c870aef4bc (diff) | |
download | iproute2-890c599ec2e8905e7b8a433be3646d5d34901810.tar.gz |
ip: fix UB in strncpy (e.g. truncated ip route output)
Fix overlapping buffers passed to strncpy which is UB. format_host_rta_r writes
to the buffer passed to it, so hostname (derived from b1) & b1 partly overlap.
This gets worse with sys-libs/glibc-2.37 where the ip route output can be truncated,
but it was UB anyway and you can see it occurring w/ glibc-2.36.
Bug: https://lore.kernel.org/netdev/0011AC38-4823-4D0A-8580-B108D08959C2@gentoo.org/T/#u
Bug: https://sourceware.org/bugzilla/show_bug.cgi?id=30112
Thanks-to: Doug Freed <dwfreed@mtu.edu>
Signed-off-by: Sam James <sam@gentoo.org>
Signed-off-by: Stephen Hemminger <stephen@networkplumber.org>
Diffstat (limited to 'ip')
-rw-r--r-- | ip/iproute.c | 5 |
1 files changed, 3 insertions, 2 deletions
diff --git a/ip/iproute.c b/ip/iproute.c index 0bab0fdf..a7cd9543 100644 --- a/ip/iproute.c +++ b/ip/iproute.c @@ -748,6 +748,7 @@ int print_route(struct nlmsghdr *n, void *arg) int ret; SPRINT_BUF(b1); + SPRINT_BUF(b2); if (n->nlmsg_type != RTM_NEWROUTE && n->nlmsg_type != RTM_DELROUTE) { fprintf(stderr, "Not a route: %08x %08x %08x\n", @@ -809,7 +810,7 @@ int print_route(struct nlmsghdr *n, void *arg) r->rtm_dst_len); } else { const char *hostname = format_host_rta_r(family, tb[RTA_DST], - b1, sizeof(b1)); + b2, sizeof(b2)); if (hostname) strncpy(b1, hostname, sizeof(b1) - 1); } @@ -832,7 +833,7 @@ int print_route(struct nlmsghdr *n, void *arg) r->rtm_src_len); } else { const char *hostname = format_host_rta_r(family, tb[RTA_SRC], - b1, sizeof(b1)); + b2, sizeof(b2)); if (hostname) strncpy(b1, hostname, sizeof(b1) - 1); } |