From eacba575c3a740e3d02040657f487a30632d8d71 Mon Sep 17 00:00:00 2001 From: Tobias Klauser Date: Thu, 2 Mar 2017 09:45:10 +0100 Subject: dev: Fix buffer overflow in device_addr2str() If the passed buffer is too small to contain an address of length alen (i.e. during fuzzing), we overflow the buffer due to blen being decremented below 0, which gets wrapped around to a really large value when passed as the size argument to snprintf(). Fix it by incorporating the changes to iproute2 ll_addr_n2a() where the issue was fixed in commit f63ed3e62989 ("lib/ll_addr: improve ll_addr_n2a() a bit"). Fixes #170 Signed-off-by: Tobias Klauser --- dev.c | 14 +++----------- 1 file changed, 3 insertions(+), 11 deletions(-) diff --git a/dev.c b/dev.c index 2960976..b509aee 100644 --- a/dev.c +++ b/dev.c @@ -416,17 +416,9 @@ const char *device_addr2str(const unsigned char *addr, int alen, int type, if (alen == 16 && type == ARPHRD_TUNNEL6) return inet_ntop(AF_INET6, addr, buf, blen); - for (l = 0, i = 0; i < alen; i++) { - if (i == 0) { - snprintf(buf + l, blen, "%02x", addr[i]); - blen -= 2; - l += 2; - } else { - snprintf(buf + l, blen, ":%02x", addr[i]); - blen -= 3; - l += 3; - } - } + snprintf(buf, blen, "%02x", addr[0]); + for (i = 1, l = 2; i < alen && l < blen; i++, l += 3) + snprintf(buf + l, blen - l, ":%02x", addr[i]); return buf; } -- cgit v1.2.3-54-g00ecf