Opened 9 years ago
Closed 9 years ago
#488 closed Bug / Defect (notabug)
reading memory beyond array bounds error in src/openvpn/socket.c
Reported by: | antonvys | Owned by: | |
---|---|---|---|
Priority: | minor | Milestone: | release 2.3.6 |
Component: | Generic / unclassified | Version: | |
Severity: | Not set (select this one, unless your'e a OpenVPN developer) | Keywords: | |
Cc: |
Description
Hello,
the source file src/openvpn/socket.c contains a memory error on line
number 1270. The source was taken from the latest, openvpn-2.3.6 release.
openvpn-2.3.6/src/openvpn/socket.c:
1269: if(status == 0) {
1270:=> sock->info.lsa->remote.addr.in6 = *((struct sockaddr_in6*)(ai->ai_addr));
1269: freeaddrinfo(ai);
result->ai_addr is of type struct sockaddr, which is defined as :
typedef uint16_t sa_family_t;
struct sockaddr {
sa_family_t sa_family;
char sa_data[14];
};
So this structure is 16 bytes (on both 32-bit and 64-bit).
struct_sockaddr_in6 takes 32 bytes.
Type casting sockaddr to sockaddr_in6 as follows :
*((struct sockaddr_in6*)(result->ai_addr))
will result in reading 32 bytes.
sockaddrs are mystic beasts... usually there is a sockaddr_storage or openvpn_sockaddr involved at allocation time, which is a union of all socket address types in use.
In the getaddrinfo() case, getaddrinfo() will ensure there is enough memory to actually store an IPv6 address in the structure, read: a sockaddr_in6 structure - so the caller can rely on the memory being big enough, whatever the "formal" declaration says, and the "ai" involved here is coming out of getaddrinfo().