Context Navigation

Back to Ticket #1303

Ticket #1303: 0001-Fix-stack-buffer-overruns-in-NEXTADDR-macro.patch

File 0001-Fix-stack-buffer-overruns-in-NEXTADDR-macro.patch, 988 bytes (added by mandree, 4 years ago)
attempt to fix this bug by copying only the unrounded length of data before rounding up the skip pointer

src/openvpn/route.c

From a753097211ff01147ac10f2d48e56fdb18155066 Mon Sep 17 00:00:00 2001
From: Matthias Andree <matthias.andree@gmx.de>
Date: Fri, 17 Jul 2020 19:05:58 +0200
Subject: [PATCH] Fix stack buffer overruns in NEXTADDR() macro:

copy first, then round up the length when adding padding
to the advance.

Found by: GCC 9.3.0 (FreeBSD)

Signed-off-by: Matthias Andree <matthias.andree@gmx.de>
---
 src/openvpn/route.c | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/src/openvpn/route.c b/src/openvpn/route.c
index b57da5dd..24563ed6 100644

  struct rtmsg {
 #else  /* if defined(TARGET_SOLARIS) */
 #define NEXTADDR(w, u) \
     if (rtm_addrs & (w)) { \
         l = ROUNDUP( ((struct sockaddr *)&(u))->sa_len); memmove(cp, &(u), l); cp += l; \
+        l = ((struct sockaddr *)&(u))->sa_len; memmove(cp, &(u), l); cp += ROUNDUP(l); \
+    }
 #define ADVANCE(x, n) (x += ROUNDUP((n)->sa_len))

Download in other formats:

Original Format