From 28a441ebd8323437bf762a790b4ec5e6301e4bec Mon Sep 17 00:00:00 2001 From: Simon Wilkinson Date: Fri, 1 Mar 2013 12:01:19 +0000 Subject: [PATCH] util: Fix overflows in address parsing The extractAddr function (which turns a dotted quad into an IP address), has a number of overflows when one or more elements of the quad are more than 31 characters in length. The array allocated for each portion is 32 bytes long, but we only stop writing into the array when the indexing pointer reaches 32, which doesn't leave us with space for the trailing NULL. Rework this so we always allow space for the NULL, and use a #define for the array length to make it more clear whats going on. Caught by coverity (#985591, #985592, #985593, #985594) Change-Id: I33ecc78ba6c90e44c3a4f2df171abba1d58562b3 Reviewed-on: http://gerrit.openafs.org/9327 Tested-by: BuildBot Reviewed-by: Jeffrey Altman Reviewed-by: Derrick Brashear --- src/util/hostparse.c | 13 ++++++++----- 1 file changed, 8 insertions(+), 5 deletions(-) diff --git a/src/util/hostparse.c b/src/util/hostparse.c index d0a181a2f..4644a97fd 100644 --- a/src/util/hostparse.c +++ b/src/util/hostparse.c @@ -121,10 +121,13 @@ hostutil_GetNameByINet(afs_uint32 addr) ** w.x.y.z # machineName ** returns the network interface in network byte order */ + +#define MAXBYTELEN 32 afs_uint32 extractAddr(char *line, int maxSize) { - char byte1[32], byte2[32], byte3[32], byte4[32]; + char byte1[MAXBYTELEN], byte2[MAXBYTELEN]; + char byte3[MAXBYTELEN], byte4[MAXBYTELEN]; int i = 0; char *endPtr; afs_uint32 val1, val2, val3, val4; @@ -143,7 +146,7 @@ extractAddr(char *line, int maxSize) while ((*line != '.') && maxSize) { /* extract first byte */ if (!isdigit(*line)) return AFS_IPINVALID; - if (i > 31) + if (i >= MAXBYTELEN-1) return AFS_IPINVALID; /* no space */ byte1[i++] = *line++; maxSize--; @@ -156,7 +159,7 @@ extractAddr(char *line, int maxSize) while ((*line != '.') && maxSize) { /* extract second byte */ if (!isdigit(*line)) return AFS_IPINVALID; - if (i > 31) + if (i >= MAXBYTELEN-1) return AFS_IPINVALID; /* no space */ byte2[i++] = *line++; maxSize--; @@ -169,7 +172,7 @@ extractAddr(char *line, int maxSize) while ((*line != '.') && maxSize) { if (!isdigit(*line)) return AFS_IPINVALID; - if (i > 31) + if (i >= MAXBYTELEN-1) return AFS_IPINVALID; /* no space */ byte3[i++] = *line++; maxSize--; @@ -182,7 +185,7 @@ extractAddr(char *line, int maxSize) while (*line && !isspace(*line) && maxSize) { if (!isdigit(*line)) return AFS_IPINVALID; - if (i > 31) + if (i >= MAXBYTELEN-1) return AFS_IPINVALID; /* no space */ byte4[i++] = *line++; maxSize--; -- 2.39.5