Re: [chrony-dev] Alleged out of bounds read in cmdmon.c

[Håkan Johansson <f96hajo@xxxxxxxxxxx>]

Dear Clouds,

I also fail to see any memory allocation in transmit_reply().  Line 670 is 
the function itself.  On which line is the allocation?

The pointers used by sendto(): msg and where_to->u both have come as 
pointers to transmit_reply().

The line specification 1815 did not have any allocation in 
chrony-1.30.tar.gz.  Could you verify that you have seen the errors with 
that clean source, and also send the valgrind output?

Thanks,
Håkan Johansson


On Tue, 5 Aug 2014, Miroslav Lichvar wrote:

> On Wed, Jul 30, 2014 at 10:53:42AM +0200, Miroslav Lichvar wrote:
> > On Wed, Jul 30, 2014 at 12:56:21AM -0700, clouds@xxxxxxxxxx wrote:
> > > Within cmdmon.c, transmit_reply() - line 670, a temporary buffer is
> > > declared and allocated 8 bytes. So further along, within cmdmon.c - line
> > > 693, sendto(), addrlen is set to 28 bytes.  Which reads far beyond the 8
> > > bytes allocated.
> >
> > You mean the memory which where_to is pointing at is only 8 bytes?
> > where_to should be pointing at union sockaddr_in46, which includes
> > sockaddr_in, sockaddr_in6 and sockaddr, allocated on stack in
> > read_from_cmd_socket(). Here, it seems to be 28 bytes with IPv6
> > enabled and 16 bytes with IPv6 disabled. I don't see how it could be
> > only 8 bytes.
>
> Is anyone else seeing this? Our code looks good to me, so I suspect
> they have some local modifications there. Am I overlooking something?
>
> --
> Miroslav Lichvar
>
> --
> To unsubscribe email chrony-dev-request@xxxxxxxxxxxxxxxxxxxx with "unsubscribe" in the subject.
> For help email chrony-dev-request@xxxxxxxxxxxxxxxxxxxx with "help" in the subject.
> Trouble?  Email listmaster@xxxxxxxxxxxxxxxxxxxx.