From 486ba708442aa7296503dc44f2c2662ed784725f Mon Sep 17 00:00:00 2001 From: Simon Wilkinson Date: Fri, 1 Mar 2013 12:01:19 +0000 Subject: [PATCH] util: Fix overflows in address parsing The extractAddr function (which turns a dotted quad into an IP address), has a number of overflows when one or more elements of the quad are more than 31 characters in length. The array allocated for each portion is 32 bytes long, but we only stop writing into the array when the indexing pointer reaches 32, which doesn't leave us with space for the trailing NULL. Rework this so we always allow space for the NULL, and use a #define for the array length to make it more clear whats going on. Caught by coverity (#985591, #985592, #985593, #985594) Reviewed-on: http://gerrit.openafs.org/9327 Tested-by: BuildBot Reviewed-by: Jeffrey Altman Reviewed-by: Derrick Brashear (cherry picked from commit 28a441ebd8323437bf762a790b4ec5e6301e4bec) Change-Id: I9506fd8b468c957f0c9f8dc2d58baf5bc6bc2e19 Reviewed-on: http://gerrit.openafs.org/9372 Tested-by: BuildBot Reviewed-by: Andrew Deason Reviewed-by: Paul Smeddle Reviewed-by: Stephan Wiesand --- src/util/hostparse.c | 13 ++++++++----- 1 file changed, 8 insertions(+), 5 deletions(-) diff --git a/src/util/hostparse.c b/src/util/hostparse.c index 2462931ce..ede75ab9f 100644 --- a/src/util/hostparse.c +++ b/src/util/hostparse.c @@ -131,10 +131,13 @@ hostutil_GetNameByINet(afs_uint32 addr) ** w.x.y.z # machineName ** returns the network interface in network byte order */ + +#define MAXBYTELEN 32 afs_uint32 extractAddr(char *line, int maxSize) { - char byte1[32], byte2[32], byte3[32], byte4[32]; + char byte1[MAXBYTELEN], byte2[MAXBYTELEN]; + char byte3[MAXBYTELEN], byte4[MAXBYTELEN]; int i = 0; char *endPtr; afs_uint32 val1, val2, val3, val4; @@ -153,7 +156,7 @@ extractAddr(char *line, int maxSize) while ((*line != '.') && maxSize) { /* extract first byte */ if (!isdigit(*line)) return AFS_IPINVALID; - if (i > 31) + if (i >= MAXBYTELEN-1) return AFS_IPINVALID; /* no space */ byte1[i++] = *line++; maxSize--; @@ -166,7 +169,7 @@ extractAddr(char *line, int maxSize) while ((*line != '.') && maxSize) { /* extract second byte */ if (!isdigit(*line)) return AFS_IPINVALID; - if (i > 31) + if (i >= MAXBYTELEN-1) return AFS_IPINVALID; /* no space */ byte2[i++] = *line++; maxSize--; @@ -179,7 +182,7 @@ extractAddr(char *line, int maxSize) while ((*line != '.') && maxSize) { if (!isdigit(*line)) return AFS_IPINVALID; - if (i > 31) + if (i >= MAXBYTELEN-1) return AFS_IPINVALID; /* no space */ byte3[i++] = *line++; maxSize--; @@ -192,7 +195,7 @@ extractAddr(char *line, int maxSize) while (*line && !isspace(*line) && maxSize) { if (!isdigit(*line)) return AFS_IPINVALID; - if (i > 31) + if (i >= MAXBYTELEN-1) return AFS_IPINVALID; /* no space */ byte4[i++] = *line++; maxSize--; -- 2.39.5