Follow @Openwall on Twitter for new release announcements and other news
[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list]
Date: Sat, 21 Mar 2015 23:13:03 +0100
From: Szabolcs Nagy <>
To: Konstantin Serebryany <>,
	Rich Felker <>,
Subject: Re: buffer overflow in regcomp and a way to find more of those

* Szabolcs Nagy <> [2015-03-21 22:38:25 +0100]:
> ah.. r14 is incremented as the string is parsed
> the original string is
> (gdb) p (char*)0x6e2dc3-35
> $37 = 0x6e2da0 "8:a:2:8:3:28:8::2:83:20:8:2:833:23:2.8288;3:33::2.82.83333"
> with this i can reproduce the crash

i assume


is invalid ipv6 address

currently musl gets the :: handling wrong at the end and it
goes on clobbering memory, i guess this is security critical

a possible fix is attached but probably the code should
be made clearer here

View attachment "inet_pton.diff" of type "text/x-diff" (359 bytes)

Powered by blists - more mailing lists

Confused about mailing lists and their use? Read about mailing lists on Wikipedia and check out these guidelines on proper formatting of your messages.