|
Date: Sat, 21 Mar 2015 23:13:03 +0100
From: Szabolcs Nagy <nsz@...t70.net>
To: Konstantin Serebryany <konstantin.s.serebryany@...il.com>,
Rich Felker <dalias@...c.org>, musl@...ts.openwall.com
Subject: Re: buffer overflow in regcomp and a way to find more of those
* Szabolcs Nagy <nsz@...t70.net> [2015-03-21 22:38:25 +0100]:
> ah.. r14 is incremented as the string is parsed
> the original string is
>
> (gdb) p (char*)0x6e2dc3-35
> $37 = 0x6e2da0 "8:a:2:8:3:28:8::2:83:20:8:2:833:23:2.8288;3:33::2.82.83333"
>
> with this i can reproduce the crash
i assume
1:2:3:4:5:6:7::
is invalid ipv6 address
currently musl gets the :: handling wrong at the end and it
goes on clobbering memory, i guess this is security critical
issue
a possible fix is attached but probably the code should
be made clearer here
View attachment "inet_pton.diff" of type "text/x-diff" (359 bytes)
Powered by blists - more mailing lists
Confused about mailing lists and their use? Read about mailing lists on Wikipedia and check out these guidelines on proper formatting of your messages.