Re: [chrony-dev] Alleged out of bounds read in cmdmon.c

[Holger Hoffstätte <holger.hoffstaette@xxxxxxxxxxxxxx>]

On 08/05/14 10:26, Miroslav Lichvar wrote:
> On Wed, Jul 30, 2014 at 10:53:42AM +0200, Miroslav Lichvar wrote:
>> On Wed, Jul 30, 2014 at 12:56:21AM -0700, clouds@xxxxxxxxxx wrote:
>>> Within cmdmon.c, transmit_reply() - line 670, a temporary buffer is
>>> declared and allocated 8 bytes. So further along, within cmdmon.c - line
>>> 693, sendto(), addrlen is set to 28 bytes.  Which reads far beyond the 8
>>> bytes allocated.
>>
>> You mean the memory which where_to is pointing at is only 8 bytes?
>> where_to should be pointing at union sockaddr_in46, which includes
>> sockaddr_in, sockaddr_in6 and sockaddr, allocated on stack in
>> read_from_cmd_socket(). Here, it seems to be 28 bytes with IPv6
>> enabled and 16 bytes with IPv6 disabled. I don't see how it could be
>> only 8 bytes.
> 
> Is anyone else seeing this? Our code looks good to me, so I suspect
> they have some local modifications there. Am I overlooking something?

I've looked it over and don't see anything too obviously wrong. Neither did clang's static analyzer, even though it did find some other problems..of which I don't understand some either (could be false positives). Some however seem genuine. If you don't have clang 3.4.2 just let me know and I'll send you the generated HTML output off-list.

-h


-- 
To unsubscribe email chrony-dev-request@xxxxxxxxxxxxxxxxxxxx with "unsubscribe" in the subject.
For help email chrony-dev-request@xxxxxxxxxxxxxxxxxxxx with "help" in the subject.
Trouble?  Email listmaster@xxxxxxxxxxxxxxxxxxxx.