From mboxrd@z Thu Jan  1 00:00:00 1970
X-Msuck: nntp://news.gmane.org/gmane.linux.lib.musl.general/7246
Path: news.gmane.org!not-for-mail
From: Szabolcs Nagy <nsz@port70.net>
Newsgroups: gmane.linux.lib.musl.general
Subject: Re: buffer overflow in regcomp and a way to find more of those
Date: Sat, 21 Mar 2015 23:13:03 +0100
Message-ID: <20150321221303.GL16260@port70.net>
References: <CAGQ9bdzxrkdGJb1z4e9m9QC97WKbRgG=jasvy4v1-sf0kX08AQ@mail.gmail.com>
 <20150321013225.GT23507@brightrain.aerifal.cx>
 <CAGQ9bdxWaaUBv3gmDE3meSaibjJiUmcAfSae_OTrkky1tjVYLQ@mail.gmail.com>
 <20150321015619.GU23507@brightrain.aerifal.cx>
 <CAGQ9bdwziW09Jn17M=5+qyi5Q-1+LTy4dr0d0Tkm2WP0ao-NzA@mail.gmail.com>
 <20150321022023.GW23507@brightrain.aerifal.cx>
 <CAGQ9bdwwhkcBse2K612ynZ34SLLCoGvNZTgeMPVK8V-WX56peA@mail.gmail.com>
 <20150321132810.GI16260@port70.net>
 <20150321210302.GJ16260@port70.net>
 <20150321213825.GK16260@port70.net>
Reply-To: musl@lists.openwall.com
NNTP-Posting-Host: plane.gmane.org
Mime-Version: 1.0
Content-Type: multipart/mixed; boundary="FCF9ydJxlAJsfRTu"
X-Trace: ger.gmane.org 1426976384 3057 80.91.229.3 (21 Mar 2015 22:19:44 GMT)
X-Complaints-To: usenet@ger.gmane.org
NNTP-Posting-Date: Sat, 21 Mar 2015 22:19:44 +0000 (UTC)
To: Konstantin Serebryany <konstantin.s.serebryany@gmail.com>,
	Rich Felker <dalias@libc.org>, musl@lists.openwall.com
Original-X-From: musl-return-7259-gllmg-musl=m.gmane.org@lists.openwall.com Sat Mar 21 23:19:34 2015
Return-path: <musl-return-7259-gllmg-musl=m.gmane.org@lists.openwall.com>
Envelope-to: gllmg-musl@m.gmane.org
Original-Received: from mother.openwall.net ([195.42.179.200])
	by plane.gmane.org with smtp (Exim 4.69)
	(envelope-from <musl-return-7259-gllmg-musl=m.gmane.org@lists.openwall.com>)
	id 1YZRjw-0000GI-HL
	for gllmg-musl@m.gmane.org; Sat, 21 Mar 2015 23:19:32 +0100
Original-Received: (qmail 8018 invoked by uid 550); 21 Mar 2015 22:19:31 -0000
Mailing-List: contact musl-help@lists.openwall.com; run by ezmlm
Precedence: bulk
List-Post: <mailto:musl@lists.openwall.com>
List-Help: <mailto:musl-help@lists.openwall.com>
List-Unsubscribe: <mailto:musl-unsubscribe@lists.openwall.com>
List-Subscribe: <mailto:musl-subscribe@lists.openwall.com>
Original-Received: (qmail 8000 invoked from network); 21 Mar 2015 22:19:30 -0000
Mail-Followup-To: Konstantin Serebryany <konstantin.s.serebryany@gmail.com>,
	Rich Felker <dalias@libc.org>, musl@lists.openwall.com
Content-Disposition: inline
In-Reply-To: <20150321213825.GK16260@port70.net>
User-Agent: Mutt/1.5.23 (2014-03-12)
Xref: news.gmane.org gmane.linux.lib.musl.general:7246
Archived-At: <http://permalink.gmane.org/gmane.linux.lib.musl.general/7246>


--FCF9ydJxlAJsfRTu
Content-Type: text/plain; charset=us-ascii
Content-Disposition: inline

* Szabolcs Nagy <nsz@port70.net> [2015-03-21 22:38:25 +0100]:
> ah.. r14 is incremented as the string is parsed
> the original string is
> 
> (gdb) p (char*)0x6e2dc3-35
> $37 = 0x6e2da0 "8:a:2:8:3:28:8::2:83:20:8:2:833:23:2.8288;3:33::2.82.83333"
> 
> with this i can reproduce the crash

i assume

1:2:3:4:5:6:7::

is invalid ipv6 address

currently musl gets the :: handling wrong at the end and it
goes on clobbering memory, i guess this is security critical
issue

a possible fix is attached but probably the code should
be made clearer here

--FCF9ydJxlAJsfRTu
Content-Type: text/x-diff; charset=us-ascii
Content-Disposition: attachment; filename="inet_pton.diff"

diff --git a/src/network/inet_pton.c b/src/network/inet_pton.c
index 4496b47..e4cdad5 100644
--- a/src/network/inet_pton.c
+++ b/src/network/inet_pton.c
@@ -38,6 +38,7 @@ int inet_pton(int af, const char *restrict s, void *restrict a0)
 
 	for (i=0; ; i++) {
 		if (s[0]==':' && brk<0) {
+			if (i==7) return 0;
 			brk=i;
 			ip[i]=0;
 			if (!*++s) break;

--FCF9ydJxlAJsfRTu--