Re: [chrony-dev] Alleged out of bounds read in cmdmon.c

[ Thread Index | Date Index | More chrony.tuxfamily.org/chrony-dev Archives ]



Dear Clouds,

I also fail to see any memory allocation in transmit_reply(). Line 670 is the function itself. On which line is the allocation?

The pointers used by sendto(): msg and where_to->u both have come as pointers to transmit_reply().

The line specification 1815 did not have any allocation in chrony-1.30.tar.gz. Could you verify that you have seen the errors with that clean source, and also send the valgrind output?

Thanks,
Håkan Johansson


On Tue, 5 Aug 2014, Miroslav Lichvar wrote:

On Wed, Jul 30, 2014 at 10:53:42AM +0200, Miroslav Lichvar wrote:
On Wed, Jul 30, 2014 at 12:56:21AM -0700, clouds@xxxxxxxxxx wrote:
Within cmdmon.c, transmit_reply() - line 670, a temporary buffer is
declared and allocated 8 bytes. So further along, within cmdmon.c - line
693, sendto(), addrlen is set to 28 bytes.  Which reads far beyond the 8
bytes allocated.

You mean the memory which where_to is pointing at is only 8 bytes?
where_to should be pointing at union sockaddr_in46, which includes
sockaddr_in, sockaddr_in6 and sockaddr, allocated on stack in
read_from_cmd_socket(). Here, it seems to be 28 bytes with IPv6
enabled and 16 bytes with IPv6 disabled. I don't see how it could be
only 8 bytes.

Is anyone else seeing this? Our code looks good to me, so I suspect
they have some local modifications there. Am I overlooking something?

--
Miroslav Lichvar

--
To unsubscribe email chrony-dev-request@xxxxxxxxxxxxxxxxxxxx with "unsubscribe" in the subject.
For help email chrony-dev-request@xxxxxxxxxxxxxxxxxxxx with "help" in the subject.
Trouble?  Email listmaster@xxxxxxxxxxxxxxxxxxxx.



Mail converted by MHonArc 2.6.19+ http://listengine.tuxfamily.org/