1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
|
From: Bernd Eckenfels <net-tools@lina.inka.de>
Date: Sat, 17 May 2025 21:11:07 +0200
Subject: ipmaddr.c: Stack-based buffer Overflow in parse_hex()
Origin: https://github.com/ecki/net-tools/commit/a7926399a04ee8e629a02a2aeb6de1952d42d559
Coordinated as GHSA-h667-qrp8-gj58.
---
ipmaddr.c | 10 +++++-----
1 file changed, 5 insertions(+), 5 deletions(-)
diff --git a/ipmaddr.c b/ipmaddr.c
index 64b7564372ea..623fadd4f09d 100644
--- a/ipmaddr.c
+++ b/ipmaddr.c
@@ -91,17 +91,17 @@ static int parse_lla(char *str, char *addr)
return len;
}
-static int parse_hex(char *str, unsigned char *addr)
+static int parse_hex(char *str, unsigned char *dst, size_t dstlen)
{
int len=0;
- while (*str) {
+ while (len < dstlen && *str) {
int tmp;
if (str[1] == 0)
return -1;
if (sscanf(str, "%02x", &tmp) != 1)
return -1;
- addr[len] = tmp;
+ dst[len] = tmp;
len++;
str += 2;
}
@@ -152,7 +152,7 @@ void read_dev_mcast(struct ma_info **result_p)
m.addr.family = AF_PACKET;
- len = parse_hex(hexa, (unsigned char*)&m.addr.data);
+ len = parse_hex(hexa, (unsigned char*)&m.addr.data, sizeof(m.addr.data));
if (len >= 0) {
struct ma_info *ma = xmalloc(sizeof(m));
memcpy(ma, &m, sizeof(m));
@@ -222,7 +222,7 @@ void read_igmp6(struct ma_info **result_p)
m.addr.family = AF_INET6;
- len = parse_hex(hexa, (unsigned char*)&m.addr.data);
+ len = parse_hex(hexa, (unsigned char*)&m.addr.data, sizeof(m.addr.data));
if (len >= 0) {
struct ma_info *ma = xmalloc(sizeof(m));
memcpy(ma, &m, sizeof(m));
--
2.49.0
|
