Re: [chrony-dev] Alleged out of bounds read in cmdmon.c |
[ Thread Index | Date Index | More chrony.tuxfamily.org/chrony-dev Archives ]
Dear Clouds,I also fail to see any memory allocation in transmit_reply(). Line 670 is the function itself. On which line is the allocation?
The pointers used by sendto(): msg and where_to->u both have come as pointers to transmit_reply().
The line specification 1815 did not have any allocation in chrony-1.30.tar.gz. Could you verify that you have seen the errors with that clean source, and also send the valgrind output?
Thanks, Håkan Johansson On Tue, 5 Aug 2014, Miroslav Lichvar wrote:
On Wed, Jul 30, 2014 at 10:53:42AM +0200, Miroslav Lichvar wrote:On Wed, Jul 30, 2014 at 12:56:21AM -0700, clouds@xxxxxxxxxx wrote:Within cmdmon.c, transmit_reply() - line 670, a temporary buffer is declared and allocated 8 bytes. So further along, within cmdmon.c - line 693, sendto(), addrlen is set to 28 bytes. Which reads far beyond the 8 bytes allocated.You mean the memory which where_to is pointing at is only 8 bytes? where_to should be pointing at union sockaddr_in46, which includes sockaddr_in, sockaddr_in6 and sockaddr, allocated on stack in read_from_cmd_socket(). Here, it seems to be 28 bytes with IPv6 enabled and 16 bytes with IPv6 disabled. I don't see how it could be only 8 bytes.Is anyone else seeing this? Our code looks good to me, so I suspect they have some local modifications there. Am I overlooking something? -- Miroslav Lichvar -- To unsubscribe email chrony-dev-request@xxxxxxxxxxxxxxxxxxxx with "unsubscribe" in the subject. For help email chrony-dev-request@xxxxxxxxxxxxxxxxxxxx with "help" in the subject. Trouble? Email listmaster@xxxxxxxxxxxxxxxxxxxx.
Mail converted by MHonArc 2.6.19+ | http://listengine.tuxfamily.org/ |