Follow @Openwall on Twitter for new release announcements and other news
[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list]
Message-ID: <CAK4o1Wy_cqo_rD5JX7uyJyc8uXY2L5U=8RzL8aG5dgW8US2PSA@mail.gmail.com>
Date: Sun, 22 Mar 2015 06:36:58 +0000
From: Justin Cormack <justin@...cialbusservice.com>
To: musl@...ts.openwall.com, 
	Konstantin Serebryany <konstantin.s.serebryany@...il.com>, Rich Felker <dalias@...c.org>
Subject: Re: buffer overflow in regcomp and a way to find more of those

On 21 March 2015 at 22:13, Szabolcs Nagy <nsz@...t70.net> wrote:
> * Szabolcs Nagy <nsz@...t70.net> [2015-03-21 22:38:25 +0100]:
>> ah.. r14 is incremented as the string is parsed
>> the original string is
>>
>> (gdb) p (char*)0x6e2dc3-35
>> $37 = 0x6e2da0 "8:a:2:8:3:28:8::2:83:20:8:2:833:23:2.8288;3:33::2.82.83333"
>>
>> with this i can reproduce the crash
>
> i assume
>
> 1:2:3:4:5:6:7::
>
> is invalid ipv6 address

No, it is valid, the last :: expands to :0. RFC 2373 says "The "::"
can also be used to compress the leading and/or trailing zeros in an
address."

Justin

Powered by blists - more mailing lists

Confused about mailing lists and their use? Read about mailing lists on Wikipedia and check out these guidelines on proper formatting of your messages.