Received: from mx.ams1.isc.org (mx.ams1.isc.org [199.6.1.65]) by bugs.isc.org (Postfix) with ESMTP id 0CB7620EE269 for ; Wed, 26 Jan 2011 12:11:37 +0000 (UTC) Received: from farside.isc.org (farside.isc.org [IPv6:2001:4f8:3:bb::5]) (using TLSv1 with cipher DHE-RSA-AES256-SHA (256/256 bits)) (Client CN "farside.isc.org", Issuer "ISC CA" (verified OK)) by mx.ams1.isc.org (Postfix) with ESMTPS id 9F84B5F985D for ; Wed, 26 Jan 2011 12:11:22 +0000 (UTC) (envelope-from marka@isc.org) Received: from drugs.dv.isc.org (c211-30-172-21.carlnfd1.nsw.optusnet.com.au [211.30.172.21]) (using TLSv1 with cipher DHE-RSA-AES256-SHA (256/256 bits)) (Client did not present a certificate) by farside.isc.org (Postfix) with ESMTP id 68B71E6030 for ; Wed, 26 Jan 2011 12:11:20 +0000 (UTC) (envelope-from marka@isc.org) Received: from drugs.dv.isc.org (localhost [127.0.0.1]) by drugs.dv.isc.org (Postfix) with ESMTP id D3AE692B859 for ; Wed, 26 Jan 2011 23:11:31 +1100 (EST) Delivered-To: dhcp-bugs@bugs.isc.org Subject: Re: [ISC-Bugs #23006] AutoReply: test Return-Path: In-Reply-To: Your message of "Wed, 26 Jan 2011 10:09:05 -0000." X-Spam-Status: No, score=-1.3 required=5.0 tests=AWL,BAYES_00, T_RP_MATCHES_RCVD autolearn=ham version=3.3.1 X-Original-To: dhcp-bugs@bugs.isc.org Date: Wed, 26 Jan 2011 23:11:31 +1100 References: X-Spam-Checker-Version: SpamAssassin 3.3.1 (2010-03-16) on mx.ams1.isc.org Content-Type: text/plain; charset="utf-8" Message-ID: <20110126121131.D3AE692B859@drugs.dv.isc.org> To: dhcp-bugs@isc.org X-RT-Original-Encoding: utf-8 From: Mark Andrews RT-Message-ID: Content-Length: 2365 In message , "dave b via RT" w rites: > Also, this is amusing: ( and I probably got this entirely wrong > :P - and I doubt it is a real issue) > > dhcpclient.c > > dhcp() > ... > char addrbuf[4*16]; > ... > ... > The following comment is just plain wrong: > > /* piaddr() returns its result in a static > buffer sized 4*16 (see common/inet.c). */ > > Why? because sizeof pbuf is 46. > source: static char > pbuf[sizeof("ffff:ffff:ffff:ffff:ffff:ffff:255.255.255.255")]; > > Ok. > > Now in dhcpv6() > ... > > char addrbuf[sizeof("ffff:ffff:ffff:ffff:ffff:ffff:ffff:ffff")]; > the sizeof addrbuf is 40. > > Following along: > > /* Discard, with log, packets from quenched sources. */ > for (ap = packet->interface->client->config->reject_list ; > ap ; ap = ap->next) { > if (addr_match(&packet->client_addr, &ap->match)) { > > WOOPS ---> strcpy(addrbuf, piaddr(packet->client_addr)); > > > > log_info("%s from %s rejected by rule %s", > dhcpv6_type_names[packet->dhcpv6_msg_type], > addrbuf, > piaddrmask(&ap->match.addr, &ap->match.mask) > ); > return; > } > } > > >From the strcpy manual: > The strcpy() function copies the string pointed to by src, > including the terminating null byte ('\0'), to the buffer pointed to > by dest. The strings may not overlap, and the destination string dest > must be large enough to receive the copy. > > Hum but (for dhcpv6) addrbuf is sizeof 40 and the max of the source > string is sizeof 46. Woops. 45 is the biggest legal input. No presentation address exceeds 39. The two form where a dotted quad are emitted have the following forms neither of which is anywhere near 46 bytes in length. ::111.222.333.444 ::ffff:111.222.333.444 However if a flag was ever added to say emit dotted quad then you would have arbitary prefixes and it could be reached. > -- > Ticket History: https://bugs.isc.org/Ticket/Display.html?id=23006 -- Mark Andrews, ISC 1 Seymour St., Dundas Valley, NSW 2117, Australia PHONE: +61 2 9871 4742 INTERNET: marka@isc.org