From stefan@fafoe.dyndns.org  Sat Aug  3 09:57:54 2002
Return-Path: <stefan@fafoe.dyndns.org>
Received: from mx1.FreeBSD.org (mx1.FreeBSD.org [216.136.204.125])
	by hub.freebsd.org (Postfix) with ESMTP id D1FAC37B400
	for <FreeBSD-gnats-submit@freebsd.org>; Sat,  3 Aug 2002 09:57:54 -0700 (PDT)
Received: from fafoe.dyndns.org (chello212186121237.14.vie.surfer.at [212.186.121.237])
	by mx1.FreeBSD.org (Postfix) with ESMTP id 586C343E3B
	for <FreeBSD-gnats-submit@freebsd.org>; Sat,  3 Aug 2002 09:57:54 -0700 (PDT)
	(envelope-from stefan@fafoe.dyndns.org)
Received: by frog.fafoe (Postfix, from userid 1001)
	id 0FE86281; Sat,  3 Aug 2002 19:02:55 +0200 (CEST)
Message-Id: <20020803170255.0FE86281@frog.fafoe>
Date: Sat,  3 Aug 2002 19:02:55 +0200 (CEST)
From: Stefan Farfeleder <e0026813@stud3.tuwien.ac.at>
Reply-To: Stefan Farfeleder <e0026813@stud3.tuwien.ac.at>
To: FreeBSD-gnats-submit@freebsd.org
Cc:
Subject: inet_ntop(3) buffer overflow
X-Send-Pr-Version: 3.113
X-GNATS-Notify:

>Number:         41289
>Category:       misc
>Synopsis:       inet_ntop(3) buffer overflow
>Confidential:   no
>Severity:       serious
>Priority:       medium
>Responsible:    freebsd-bugs
>State:          closed
>Quarter:        
>Keywords:       
>Date-Required:  
>Class:          sw-bug
>Submitter-Id:   current-users
>Arrival-Date:   Sat Aug 03 10:00:11 PDT 2002
>Closed-Date:    Mon Dec 16 08:46:54 PST 2002
>Last-Modified:  Mon Dec 16 08:46:54 PST 2002
>Originator:     Stefan Farfeleder
>Release:        FreeBSD 4.6-STABLE i386
>Organization:
>Environment:
System: FreeBSD frog.fafoe 4.6-STABLE FreeBSD 4.6-STABLE #0: Fri Aug 2 01:04:34 CEST 2002 freebsd@frog.fafoe:/freebsd/stable/obj/freebsd/stable/src/sys/FROG i386


	
>Description:
inet_ntop4()'s check for ENOSPC is wrong. sprintf() doesn't include the
terminating '\0' in its return value. inet_ntop6() seems safe.
>How-To-Repeat:

Script started on Sat Aug  3 18:57:36 2002
stefan@frog:~ 501 (0)$ cat pr.c
#include <sys/types.h>
#include <sys/socket.h>
#include <netinet/in.h>
#include <arpa/inet.h>
#include <stdio.h>

int
main(void)
{
    char buf[8];
    u_int32_t i = inet_addr("1.2.3.4");

    buf[7] = 1;
    inet_ntop(AF_INET, &i, buf, 7);
    if (buf[7] != 1) printf("buf[7] overwritten!\n");

    return 0;
}
stefan@frog:~ 502 (0)$ c89 pr.c
stefan@frog:~ 503 (0)$ ./a.out
buf[7] overwritten!
stefan@frog:~ 504 (0)$ exit

Script done on Sat Aug  3 18:57:52 2002
>Fix:

--- inet_ntop.c.orig	Sat Aug  3 18:14:52 2002
+++ inet_ntop.c	Sat Aug  3 18:41:33 2002
@@ -85,7 +85,7 @@
 	static const char fmt[] = "%u.%u.%u.%u";
 	char tmp[sizeof "255.255.255.255"];
 
-	if (SPRINTF((tmp, fmt, src[0], src[1], src[2], src[3])) > size) {
+	if (SPRINTF((tmp, fmt, src[0], src[1], src[2], src[3])) >= size) {
 		errno = ENOSPC;
 		return (NULL);
 	}
>Release-Note:
>Audit-Trail:
State-Changed-From-To: open->patched 
State-Changed-By: robert 
State-Changed-When: Fri Aug 16 03:09:02 PDT 2002 
State-Changed-Why:  
A fix has been committed to -current. 

http://www.freebsd.org/cgi/query-pr.cgi?pr=41289 
State-Changed-From-To: patched->closed 
State-Changed-By: robert 
State-Changed-When: Mon Dec 16 08:46:04 PST 2002 
State-Changed-Why:  
The bug has been fixed in both -CURRENT and -STABLE. 
Thanks again for reporting it. 

http://www.freebsd.org/cgi/query-pr.cgi?pr=41289 
>Unformatted:
