MIME-Version: 1.0 In-Reply-To: X-Spam-Status: No, score=-1.9 required=5.0 tests=AWL,BAYES_00,DKIM_SIGNED, DKIM_VALID,DKIM_VALID_AU,FREEMAIL_FROM,T_TO_NO_BRKTS_FREEMAIL autolearn=ham version=3.3.1 References: Message-ID: Content-Type: text/plain; charset=UTF-8 X-RT-Original-Encoding: utf-8 Received: from mx.ams1.isc.org (mx.ams1.isc.org [199.6.1.65]) by bugs.isc.org (Postfix) with ESMTP id A483220EE269 for ; Wed, 26 Jan 2011 10:09:04 +0000 (UTC) Received: from mail-iw0-f177.google.com (mail-iw0-f177.google.com [209.85.214.177]) (using TLSv1 with cipher RC4-MD5 (128/128 bits)) (Client CN "smtp.gmail.com", Issuer "Google Internet Authority" (verified OK)) by mx.ams1.isc.org (Postfix) with ESMTPS id 410C65F985D for ; Wed, 26 Jan 2011 10:08:50 +0000 (UTC) (envelope-from db.pub.mail@gmail.com) Received: by iwn38 with SMTP id 38so718514iwn.8 for ; Wed, 26 Jan 2011 02:08:48 -0800 (PST) Received: by 10.231.169.74 with SMTP id x10mr7923755iby.26.1296036528758; Wed, 26 Jan 2011 02:08:48 -0800 (PST) Received: by 10.231.170.132 with HTTP; Wed, 26 Jan 2011 02:08:28 -0800 (PST) Delivered-To: dhcp-bugs@bugs.isc.org Subject: Re: [ISC-Bugs #23006] AutoReply: test Domainkey-Signature: a=rsa-sha1; c=nofws; d=gmail.com; s=gamma; h=mime-version:in-reply-to:references:from:date:message-id:subject:to :content-type; b=xZh52hCeTOhp5vUtqLYy+SBgDSqJR31Vu0KpXaL90WnpV0lRNHZJn344o6koVSNTh6 oAACpARJKd1Az1ec3DRT5P/phH2pnOwpx8QDElq3QdmLS00OLxPU58TOB/Ngo4Jgw3zy QMh2M0q2UzIkRZsUSxGscLsX1ubuomqXITiHY= Return-Path: Dkim-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=gamma; h=domainkey-signature:mime-version:in-reply-to:references:from:date :message-id:subject:to:content-type; bh=1FlW6/O1hZdr3buc+ptnRMnaPYUNaWch+KI3d2/B3cQ=; b=YUiNrEj4TtQIRuZj5Hqpc/+le4ZeLQw8JR834zCM7QoxqeXJKpI/PzoB2AzgRaENZA Ul93RQKjk/oi2R9mvsQxUiXNPVMaWTVWnYW3uTU6RtKTs2jWcIsL+Z/bf0bzv1CVZ3I2 iMDN/VqXYS+GNipQvbs7ptNDPdvV7+qyj35/4= X-Original-To: dhcp-bugs@bugs.isc.org Date: Wed, 26 Jan 2011 21:08:28 +1100 X-Spam-Checker-Version: SpamAssassin 3.3.1 (2010-03-16) on mx.ams1.isc.org To: dhcp-bugs@isc.org From: dave b RT-Message-ID: Content-Length: 1589 Also, this is amusing: ( and I probably got this entirely wrong :P - and I doubt it is a real issue) dhcpclient.c dhcp() ... char addrbuf[4*16]; ... ... The following comment is just plain wrong: /* piaddr() returns its result in a static buffer sized 4*16 (see common/inet.c). */ Why? because sizeof pbuf is 46. source: static char pbuf[sizeof("ffff:ffff:ffff:ffff:ffff:ffff:255.255.255.255")]; Ok. Now in dhcpv6() ... char addrbuf[sizeof("ffff:ffff:ffff:ffff:ffff:ffff:ffff:ffff")]; the sizeof addrbuf is 40. Following along: /* Discard, with log, packets from quenched sources. */ for (ap = packet->interface->client->config->reject_list ; ap ; ap = ap->next) { if (addr_match(&packet->client_addr, &ap->match)) { WOOPS ---> strcpy(addrbuf, piaddr(packet->client_addr)); log_info("%s from %s rejected by rule %s", dhcpv6_type_names[packet->dhcpv6_msg_type], addrbuf, piaddrmask(&ap->match.addr, &ap->match.mask)); return; } } From the strcpy manual: The strcpy() function copies the string pointed to by src, including the terminating null byte ('\0'), to the buffer pointed to by dest. The strings may not overlap, and the destination string dest must be large enough to receive the copy. Hum but (for dhcpv6) addrbuf is sizeof 40 and the max of the source string is sizeof 46. Woops.