Date: Mon, 27 Feb 2023 23:18:02 +0300 From: Alexey Izbyshev <izbyshev@...ras.ru> To: musl@...ts.openwall.com Subject: [PATCH] getservbyport_r: fix out-of-bounds buffer read If the buffer passed to getservbyport_r is just enough to store two pointers after aligning it, getnameinfo is called with buflen == 0 (which means that service name is not needed) and trivially succeeds. Then, strtol is called on the address just past the buffer end, and if it doesn't happen to find the port number there, getservbyport_r spuriously succeeds and returns the same bad address to the caller. Fix this by ensuring that buflen is at least 1 when passed to getnameinfo. --- src/network/getservbyport_r.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/src/network/getservbyport_r.c b/src/network/getservbyport_r.c index b7f21c6b..d3a22b8c 100644 --- a/src/network/getservbyport_r.c +++ b/src/network/getservbyport_r.c @@ -26,7 +26,7 @@ int getservbyport_r(int port, const char *prots, /* Align buffer */ i = (uintptr_t)buf & sizeof(char *)-1; if (!i) i = sizeof(char *); - if (buflen < 3*sizeof(char *)-i) + if (buflen <= 3*sizeof(char *)-i) return ERANGE; buf += sizeof(char *)-i; buflen -= sizeof(char *)-i; -- 2.39.1
Powered by blists - more mailing lists
Confused about mailing lists and their use? Read about mailing lists on Wikipedia and check out these guidelines on proper formatting of your messages.