Re: [chrony-dev] Alleged out of bounds read in cmdmon.c |
[ Thread Index |
Date Index
| More chrony.tuxfamily.org/chrony-dev Archives
]
On Wed, Jul 30, 2014 at 10:53:42AM +0200, Miroslav Lichvar wrote:
> On Wed, Jul 30, 2014 at 12:56:21AM -0700, clouds@xxxxxxxxxx wrote:
> > Within cmdmon.c, transmit_reply() - line 670, a temporary buffer is
> > declared and allocated 8 bytes. So further along, within cmdmon.c - line
> > 693, sendto(), addrlen is set to 28 bytes. Which reads far beyond the 8
> > bytes allocated.
>
> You mean the memory which where_to is pointing at is only 8 bytes?
> where_to should be pointing at union sockaddr_in46, which includes
> sockaddr_in, sockaddr_in6 and sockaddr, allocated on stack in
> read_from_cmd_socket(). Here, it seems to be 28 bytes with IPv6
> enabled and 16 bytes with IPv6 disabled. I don't see how it could be
> only 8 bytes.
Is anyone else seeing this? Our code looks good to me, so I suspect
they have some local modifications there. Am I overlooking something?
--
Miroslav Lichvar
--
To unsubscribe email chrony-dev-request@xxxxxxxxxxxxxxxxxxxx with "unsubscribe" in the subject.
For help email chrony-dev-request@xxxxxxxxxxxxxxxxxxxx with "help" in the subject.
Trouble? Email listmaster@xxxxxxxxxxxxxxxxxxxx.