Opened 6 years ago

Closed 6 years ago

#488 closed Bug / Defect (notabug)

reading memory beyond array bounds error in src/openvpn/socket.c

Reported by: antonvys Owned by:
Priority: minor Milestone: release 2.3.6
Component: Generic / unclassified Version:
Severity: Not set (select this one, unless your'e a OpenVPN developer) Keywords:
Cc:

Description

Hello,
the source file src/openvpn/socket.c contains a memory error on line
number 1270. The source was taken from the latest, openvpn-2.3.6 release.
openvpn-2.3.6/src/openvpn/socket.c:

1269: if(status == 0) {
1270:=> sock->info.lsa->remote.addr.in6 = *((struct sockaddr_in6*)(ai->ai_addr));
1269: freeaddrinfo(ai);

result->ai_addr is of type struct sockaddr, which is defined as :

typedef uint16_t sa_family_t;
struct sockaddr {

sa_family_t sa_family;
char sa_data[14];

};

So this structure is 16 bytes (on both 32-bit and 64-bit).
struct_sockaddr_in6 takes 32 bytes.
Type casting sockaddr to sockaddr_in6 as follows :
*((struct sockaddr_in6*)(result->ai_addr))
will result in reading 32 bytes.

Change History (1)

comment:1 Changed 6 years ago by Gert Döring

Resolution: notabug
Status: newclosed

sockaddrs are mystic beasts... usually there is a sockaddr_storage or openvpn_sockaddr involved at allocation time, which is a union of all socket address types in use.

In the getaddrinfo() case, getaddrinfo() will ensure there is enough memory to actually store an IPv6 address in the structure, read: a sockaddr_in6 structure - so the caller can rely on the memory being big enough, whatever the "formal" declaration says, and the "ai" involved here is coming out of getaddrinfo().

Note: See TracTickets for help on using tickets.