diff options
| author |   Ned Ludd <solar@gentoo.org> | 2004-08-12 10:28:27 +0000 |
|---|---|---|
| committer | Ned Ludd <solar@gentoo.org> | 2004-08-12 10:28:27 +0000 |
| commit | 4080464413872a01a68f75f80e17bbd9e15ed030 (patch) | |
| tree | 22491e1733ead2aa90ef9e2beef7759758aa1c74 /sys-apps/net-tools/files | |
| parent | Added [~]s390 (Manifest recommit) (diff) | |
| download | gentoo-2-4080464413872a01a68f75f80e17bbd9e15ed030.tar.gz gentoo-2-4080464413872a01a68f75f80e17bbd9e15ed030.tar.bz2 gentoo-2-4080464413872a01a68f75f80e17bbd9e15ed030.zip | |
get_name() scans past the first ':' looking for <digit>*: - however if the bytes field has grown far enough to butt right up to the interface name it will cause get_name to parse over the bytes field thinking it may be an alias thus triggering an overflow. bug 58633
Diffstat (limited to 'sys-apps/net-tools/files')
| -rw-r--r-- | sys-apps/net-tools/files/digest-net-tools-1.60-r9 | 2 | ||||
| -rw-r--r-- | sys-apps/net-tools/files/net-tools-1.60-get_name.patch | 58 |
2 files changed, 60 insertions, 0 deletions
diff --git a/sys-apps/net-tools/files/digest-net-tools-1.60-r9 b/sys-apps/net-tools/files/digest-net-tools-1.60-r9 new file mode 100644 index 000000000000..0a4ac9ee6c4e --- /dev/null +++ b/sys-apps/net-tools/files/digest-net-tools-1.60-r9 @@ -0,0 +1,2 @@ +MD5 888774accab40217dde927e21979c165 net-tools-1.60.tar.bz2 198520 +MD5 d733ef8b0bad3dbd0cf98e14b45fe1a6 net-tools-1.60-gentoo-extra-1.tar.bz2 10370 diff --git a/sys-apps/net-tools/files/net-tools-1.60-get_name.patch b/sys-apps/net-tools/files/net-tools-1.60-get_name.patch new file mode 100644 index 000000000000..fdde46e7ec8b --- /dev/null +++ b/sys-apps/net-tools/files/net-tools-1.60-get_name.patch @@ -0,0 +1,58 @@ +diff -Nrup net-tools-1.60.orig/lib/interface.c net-tools-1.60/lib/interface.c +--- net-tools-1.60.orig/lib/interface.c 2004-08-12 05:54:09.000000000 -0400 ++++ net-tools-1.60/lib/interface.c 2004-08-12 06:03:20.000000000 -0400 +@@ -203,28 +203,34 @@ out: + + static char *get_name(char *name, char *p) + { +- while (isspace(*p)) +- p++; +- while (*p) { +- if (isspace(*p)) +- break; +- if (*p == ':') { /* could be an alias */ +- char *dot = p, *dotname = name; +- *name++ = *p++; +- while (isdigit(*p)) +- *name++ = *p++; +- if (*p != ':') { /* it wasn't, backup */ +- p = dot; +- name = dotname; +- } +- if (*p == '\0') +- return NULL; +- p++; +- break; ++ /* Extract <name>[:<alias>] from nul-terminated p where p matches ++ <name>[:<alias>]: after leading whitespace. ++ If match is not made, set name empty and return unchanged p */ ++ int namestart=0, nameend=0, aliasend; ++ while (isspace(p[namestart])) ++ namestart++; ++ nameend=namestart; ++ while (p[nameend] && p[nameend]!=':' && !isspace(p[nameend])) ++ nameend++; ++ if (p[nameend]==':') { ++ aliasend=nameend+1; ++ while (p[aliasend] && isdigit(p[aliasend])) ++ aliasend++; ++ if (p[aliasend]==':') { ++ nameend=aliasend; ++ } ++ if ((nameend-namestart)<IFNAMSIZ) { ++ memcpy(name,&p[namestart],nameend-namestart); ++ name[nameend-namestart]='\0'; ++ p=&p[nameend]; ++ } else { ++ /* Interface name too large */ ++ name[0]='\0'; + } +- *name++ = *p++; ++ } else { ++ /* first ':' not found - return empty */ ++ name[0]='\0'; + } +- *name++ = '\0'; + return p; + } + |