dev: Fix buffer overflow in device_addr2str()

If the passed buffer is too small to contain an address of length alen
(i.e. during fuzzing), we overflow the buffer due to blen being
decremented below 0, which gets wrapped around to a really large value
when passed as the size argument to snprintf().

Fix it by incorporating the changes to iproute2 ll_addr_n2a() where the
issue was fixed in commit f63ed3e62989 ("lib/ll_addr: improve
ll_addr_n2a() a bit").

Fixes #170
Signed-off-by: Tobias Klauser <tklauser@distanz.ch>

1 files changed, 3 insertions, 11 deletions

diff --git a/dev.c b/dev.c
index 2960976..b509aee 100644
--- a/dev.c
+++ b/dev.c
@@ -416,17 +416,9 @@ const char *device_addr2str(const unsigned char *addr, int alen, int type,
 	if (alen == 16 && type == ARPHRD_TUNNEL6)
 		return inet_ntop(AF_INET6, addr, buf, blen);
 
-	for (l = 0, i = 0; i < alen; i++) {
-		if (i == 0) {
-			snprintf(buf + l, blen, "%02x", addr[i]);
-			blen -= 2;
-			l += 2;
-		} else {
-			snprintf(buf + l, blen, ":%02x", addr[i]);
-			blen -= 3;
-			l += 3;
-		}
-	}
+	snprintf(buf, blen, "%02x", addr[0]);
+	for (i = 1, l = 2; i < alen && l < blen; i++, l += 3)
+		snprintf(buf + l, blen - l, ":%02x", addr[i]);
 
 	return buf;
 }