From mboxrd@z Thu Jan 1 00:00:00 1970 X-Msuck: nntp://news.gmane.org/gmane.linux.lib.musl.general/7247 Path: news.gmane.org!not-for-mail From: Justin Cormack Newsgroups: gmane.linux.lib.musl.general Subject: Re: buffer overflow in regcomp and a way to find more of those Date: Sun, 22 Mar 2015 06:36:58 +0000 Message-ID: References: <20150321013225.GT23507@brightrain.aerifal.cx> <20150321015619.GU23507@brightrain.aerifal.cx> <20150321022023.GW23507@brightrain.aerifal.cx> <20150321132810.GI16260@port70.net> <20150321210302.GJ16260@port70.net> <20150321213825.GK16260@port70.net> <20150321221303.GL16260@port70.net> Reply-To: musl@lists.openwall.com NNTP-Posting-Host: plane.gmane.org Mime-Version: 1.0 Content-Type: text/plain; charset=UTF-8 X-Trace: ger.gmane.org 1427006255 25635 80.91.229.3 (22 Mar 2015 06:37:35 GMT) X-Complaints-To: usenet@ger.gmane.org NNTP-Posting-Date: Sun, 22 Mar 2015 06:37:35 +0000 (UTC) To: musl@lists.openwall.com, Konstantin Serebryany , Rich Felker Original-X-From: musl-return-7260-gllmg-musl=m.gmane.org@lists.openwall.com Sun Mar 22 07:37:19 2015 Return-path: Envelope-to: gllmg-musl@m.gmane.org Original-Received: from mother.openwall.net ([195.42.179.200]) by plane.gmane.org with smtp (Exim 4.69) (envelope-from ) id 1YZZVd-0006ni-An for gllmg-musl@m.gmane.org; Sun, 22 Mar 2015 07:37:17 +0100 Original-Received: (qmail 1402 invoked by uid 550); 22 Mar 2015 06:37:10 -0000 Mailing-List: contact musl-help@lists.openwall.com; run by ezmlm Precedence: bulk List-Post: List-Help: List-Unsubscribe: List-Subscribe: Original-Received: (qmail 1382 invoked from network); 22 Mar 2015 06:37:10 -0000 DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=specialbusservice.com; s=google; h=mime-version:in-reply-to:references:date:message-id:subject:from:to :content-type; bh=pk2/n/Y7AY7bzITddER5lISslrhclr8/8IM7+KaPruo=; b=Q0+i+CTRYMI/Dw+F6zxvwsYSh/PiYn4prgLa+j07Onq1utNreSBl/f5Oa0LAZ+Z+WA 1OeoT2xmsQIQSMJeqHA4jBYBQ6UlrLYheFgmRGiki78Jzde3XtoOolMAdXbXE+FOLtu8 RwsbJGPUiYeuUSxmG3rCJoyBXsFEXZeSJEQAg= X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20130820; h=x-gm-message-state:mime-version:in-reply-to:references:date :message-id:subject:from:to:content-type; bh=pk2/n/Y7AY7bzITddER5lISslrhclr8/8IM7+KaPruo=; b=e2Ve1ZokxyXAa5XCfPgnQuX1ZKV4Y606Mp8rtCzdA5snZikfVBK6VtyLRa4O25e4/j 5RKQA8JcsDKttLvl1BWqUFcXSZo5hh7fMVG9+qEKVIp8fchfJpd5FEpw/AeNZXJLmvqd cyeGUOKRmi00uCEPDta+bvEzP44uYRn/oafP7IjCtAipB0W8FWtvg/I8WDpFQhinzfqv S4djiMaSjQqCccZ2K3SKMVQlG5YfcE3hQy3cFHbIEvLXQhjyucl7z7KwwkHOlm2D7sXC gBMsf6dlpp59tqAthfI4bV5gopN5knAxn7DDxSrcl0wTMKDRHv44UyXeM3U0PDIlB9/L 4bNA== X-Gm-Message-State: ALoCoQk8NAdbNmVhF5gYLsSKDTtKoK1MRry2AaYvBCAYYMV7O8LgIub8CgsJOo9rnlZ+J6Bl+XAa X-Received: by 10.152.179.172 with SMTP id dh12mr52054040lac.23.1427006218774; Sat, 21 Mar 2015 23:36:58 -0700 (PDT) In-Reply-To: <20150321221303.GL16260@port70.net> Xref: news.gmane.org gmane.linux.lib.musl.general:7247 Archived-At: On 21 March 2015 at 22:13, Szabolcs Nagy wrote: > * Szabolcs Nagy [2015-03-21 22:38:25 +0100]: >> ah.. r14 is incremented as the string is parsed >> the original string is >> >> (gdb) p (char*)0x6e2dc3-35 >> $37 = 0x6e2da0 "8:a:2:8:3:28:8::2:83:20:8:2:833:23:2.8288;3:33::2.82.83333" >> >> with this i can reproduce the crash > > i assume > > 1:2:3:4:5:6:7:: > > is invalid ipv6 address No, it is valid, the last :: expands to :0. RFC 2373 says "The "::" can also be used to compress the leading and/or trailing zeros in an address." Justin