In message , "dave b via RT" w rites: > Also, this is amusing: ( and I probably got this entirely wrong > :P - and I doubt it is a real issue) > > dhcpclient.c > > dhcp() > ... > char addrbuf[4*16]; > ... > ... > The following comment is just plain wrong: > > /* piaddr() returns its result in a static > buffer sized 4*16 (see common/inet.c). */ > > Why? because sizeof pbuf is 46. > source: static char > pbuf[sizeof("ffff:ffff:ffff:ffff:ffff:ffff:255.255.255.255")]; > > Ok. > > Now in dhcpv6() > ... > > char addrbuf[sizeof("ffff:ffff:ffff:ffff:ffff:ffff:ffff:ffff")]; > the sizeof addrbuf is 40. > > Following along: > > /* Discard, with log, packets from quenched sources. */ > for (ap = packet->interface->client->config->reject_list ; > ap ; ap = ap->next) { > if (addr_match(&packet->client_addr, &ap->match)) { > > WOOPS ---> strcpy(addrbuf, piaddr(packet->client_addr)); > > > > log_info("%s from %s rejected by rule %s", > dhcpv6_type_names[packet->dhcpv6_msg_type], > addrbuf, > piaddrmask(&ap->match.addr, &ap->match.mask) > ); > return; > } > } > > >From the strcpy manual: > The strcpy() function copies the string pointed to by src, > including the terminating null byte ('\0'), to the buffer pointed to > by dest. The strings may not overlap, and the destination string dest > must be large enough to receive the copy. > > Hum but (for dhcpv6) addrbuf is sizeof 40 and the max of the source > string is sizeof 46. Woops. 45 is the biggest legal input. No presentation address exceeds 39. The two form where a dotted quad are emitted have the following forms neither of which is anywhere near 46 bytes in length. ::111.222.333.444 ::ffff:111.222.333.444 However if a flag was ever added to say emit dotted quad then you would have arbitary prefixes and it could be reached. > -- > Ticket History: https://bugs.isc.org/Ticket/Display.html?id=23006 -- Mark Andrews, ISC 1 Seymour St., Dundas Valley, NSW 2117, Australia PHONE: +61 2 9871 4742 INTERNET: marka@isc.org