| commit | eacba575c3a740e3d02040657f487a30632d8d71 | |
| author | Tobias Klauser <tklauser@distanz.ch> | |
| Thu, 2 Mar 2017 08:45:10 +0000 (2 09:45 +0100) | ||
| committer | Tobias Klauser <tklauser@distanz.ch> | |
| Thu, 2 Mar 2017 08:45:10 +0000 (2 09:45 +0100) | ||
| tree | 2adbaae7f05407dcf1c7feb5feed5f1f529a0726 | treesnapshot (tar.gz zip) |
| parent | 4156f1451ac83e0ba1cfa856c86c44af7d30e6f0 | commitdiff |
dev: Fix buffer overflow in device_addr2str()
If the passed buffer is too small to contain an address of length alen
(i.e. during fuzzing), we overflow the buffer due to blen being
decremented below 0, which gets wrapped around to a really large value
when passed as the size argument to snprintf().
Fix it by incorporating the changes to iproute2 ll_addr_n2a() where the
issue was fixed in commit f63ed3e62989 ("lib/ll_addr: improve
ll_addr_n2a() a bit").
Fixes #170
Signed-off-by: Tobias Klauser <tklauser@distanz.ch>
If the passed buffer is too small to contain an address of length alen
(i.e. during fuzzing), we overflow the buffer due to blen being
decremented below 0, which gets wrapped around to a really large value
when passed as the size argument to snprintf().
Fix it by incorporating the changes to iproute2 ll_addr_n2a() where the
issue was fixed in commit f63ed3e62989 ("lib/ll_addr: improve
ll_addr_n2a() a bit").
Fixes #170
Signed-off-by: Tobias Klauser <tklauser@distanz.ch>
| dev.c | diffblobblamehistory |