diff mbox

alfred: Avoid buffer overflow while querying ARP cache

Message ID	20170127141044.5317-1-sven@narfation.org (mailing list archive)
State	Accepted, archived
Commit	26ef92b456a420869eeffe5ab5c0de77354dd245
Delegated to:	Simon Wunderlich
Headers	Received-SPF: Pass (sender SPF authorized) identity=mailfrom; client-ip=79.140.41.39; helo=v3-1039.vlinux.de; envelope-from=sven@narfation.org; receiver=b.a.t.m.a.n@lists.open-mesh.org From: Sven Eckelmann <sven@narfation.org> To: b.a.t.m.a.n@lists.open-mesh.org Date: Fri, 27 Jan 2017 15:10:44 +0100 Message-Id: <20170127141044.5317-1-sven@narfation.org> Subject: [B.A.T.M.A.N.] [PATCH] alfred: Avoid buffer overflow while querying ARP cache Precedence: list Reply-To: The list for a Better Approach To Mobile Ad-hoc Networking <b.a.t.m.a.n@lists.open-mesh.org> Errors-To: b.a.t.m.a.n-bounces@lists.open-mesh.org Sender: "B.A.T.M.A.N" <b.a.t.m.a.n-bounces@lists.open-mesh.org>

Commit Message

Sven Eckelmann Jan. 27, 2017, 2:10 p.m. UTC

  The arpreq.arp_dev is a limited buffer (16 bytes). Avoid that more bytes
from the interface name are copied into this buffer by switching from
strcpy to strncpy.

Fixes: c7da798113a2 ("alfred: IPv4 multicast distribution support.")
Signed-off-by: Sven Eckelmann <sven@narfation.org>
---
 util.c | 4 +++-
 1 file changed, 3 insertions(+), 1 deletion(-)

Comments

Antonio Quartulli Jan. 27, 2017, 2:34 p.m. UTC | #1

On Fri, Jan 27, 2017 at 03:10:44PM +0100, Sven Eckelmann wrote:
> The arpreq.arp_dev is a limited buffer (16 bytes). Avoid that more bytes
> from the interface name are copied into this buffer by switching from
> strcpy to strncpy.
> 
> Fixes: c7da798113a2 ("alfred: IPv4 multicast distribution support.")
> Signed-off-by: Sven Eckelmann <sven@narfation.org>
> ---
>  util.c | 4 +++-
>  1 file changed, 3 insertions(+), 1 deletion(-)
> 
> diff --git a/util.c b/util.c
> index 84ab3af..ed83895 100644
> --- a/util.c
> +++ b/util.c
> @@ -92,7 +92,9 @@ int ipv4_arp_request(struct interface *interface, const alfred_addr *addr,
>  	sin->sin_family = AF_INET;
>  	sin->sin_addr.s_addr = addr->ipv4.s_addr;
>  
> -	strcpy(arpreq.arp_dev, interface->interface);
> +	strncpy(arpreq.arp_dev, interface->interface, sizeof(arpreq.arp_dev));

arpreq is already set to 0 few lines above. why not simpling
"sizeof(arpreq.arp_dev) - 1" as last argument for the strncpy() and avoid the
line below?

Or is this required for consistency with the rest of the code?


Cheers,

Sven Eckelmann Jan. 27, 2017, 8:08 p.m. UTC | #2

On Freitag, 27. Januar 2017 22:34:22 CET Antonio Quartulli wrote:
[...]
> arpreq is already set to 0 few lines above. why not simpling
> "sizeof(arpreq.arp_dev) - 1" as last argument for the strncpy() and avoid the
> line below?
> 
> Or is this required for consistency with the rest of the code?

It is done for consistency.

Kind regards,
	Sven

Simon Wunderlich Jan. 30, 2017, 8:29 a.m. UTC | #3

On Friday, January 27, 2017 3:10:44 PM CET Sven Eckelmann wrote:
> The arpreq.arp_dev is a limited buffer (16 bytes). Avoid that more bytes
> from the interface name are copied into this buffer by switching from
> strcpy to strncpy.
> 
> Fixes: c7da798113a2 ("alfred: IPv4 multicast distribution support.")
> Signed-off-by: Sven Eckelmann <sven@narfation.org>

Committed in revision 26ef92b.

Thank you,
     Simon

diff mbox

Patch

diff --git a/util.c b/util.c
index 84ab3af..ed83895 100644
--- a/util.c
+++ b/util.c
@@ -92,7 +92,9 @@  int ipv4_arp_request(struct interface *interface, const alfred_addr *addr,
 	sin->sin_family = AF_INET;
 	sin->sin_addr.s_addr = addr->ipv4.s_addr;
 
-	strcpy(arpreq.arp_dev, interface->interface);
+	strncpy(arpreq.arp_dev, interface->interface, sizeof(arpreq.arp_dev));
+	arpreq.arp_dev[sizeof(arpreq.arp_dev) - 1] = '\0';
+
 	if (ioctl(interface->netsock, SIOCGARP, &arpreq) < 0)
 		return -1;