Re: [chrony-dev] Alleged out of bounds read in cmdmon.c

[ Thread Index | Date Index | More chrony.tuxfamily.org/chrony-dev Archives ]

To: chrony-dev@xxxxxxxxxxxxxxxxxxxx
Subject: Re: [chrony-dev] Alleged out of bounds read in cmdmon.c
From: Miroslav Lichvar <mlichvar@xxxxxxxxxx>
Date: Tue, 5 Aug 2014 10:26:42 +0200

On Wed, Jul 30, 2014 at 10:53:42AM +0200, Miroslav Lichvar wrote:
> On Wed, Jul 30, 2014 at 12:56:21AM -0700, clouds@xxxxxxxxxx wrote:
> > Within cmdmon.c, transmit_reply() - line 670, a temporary buffer is
> > declared and allocated 8 bytes. So further along, within cmdmon.c - line
> > 693, sendto(), addrlen is set to 28 bytes.  Which reads far beyond the 8
> > bytes allocated.
> 
> You mean the memory which where_to is pointing at is only 8 bytes?
> where_to should be pointing at union sockaddr_in46, which includes
> sockaddr_in, sockaddr_in6 and sockaddr, allocated on stack in
> read_from_cmd_socket(). Here, it seems to be 28 bytes with IPv6
> enabled and 16 bytes with IPv6 disabled. I don't see how it could be
> only 8 bytes.

Is anyone else seeing this? Our code looks good to me, so I suspect
they have some local modifications there. Am I overlooking something?

-- 
Miroslav Lichvar

-- 
To unsubscribe email chrony-dev-request@xxxxxxxxxxxxxxxxxxxx with "unsubscribe" in the subject.
For help email chrony-dev-request@xxxxxxxxxxxxxxxxxxxx with "help" in the subject.
Trouble?  Email listmaster@xxxxxxxxxxxxxxxxxxxx.

Follow-Ups:
- Re: [chrony-dev] Alleged out of bounds read in cmdmon.c
  - From: Håkan Johansson
- Re: [chrony-dev] Alleged out of bounds read in cmdmon.c
  - From: Holger Hoffstätte

Messages sorted by: [ date | thread ]
Next by Date: Re: [chrony-dev] Alleged out of bounds read in cmdmon.c
Next by thread: Re: [chrony-dev] Alleged out of bounds read in cmdmon.c

Mail converted by MHonArc 2.6.19+

http://listengine.tuxfamily.org/