ip6address: fix parser array bounds issue/crash #413
Conversation
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
A malformed IP6Address, i.e. with more than 8 components, will cause the memmove/memset at the end of parsing to fail. This code is supposed to move the post-:: bytes to the end of the address and zero out the bytes in the center. Instead, it moves some of the bytes the wrong way, potentially writing prior to parts[] and then zeroing with a negative size. Instead, make the parser stop when it hits 8 components and let parse figure out that we did not consume the entire String. Thanks: American Fuzzy Lop Change-Id: I2966cb22fb5b44eb9e92dfc6a94e891cf5d02fa7
|
I'm worried this isn't right. The bottom of IP6AddressArg::basic_parse has a bunch of |
|
The loop right above does network conversion for d+1 items. Maybe the coloncolon thing needs more refinement, I'm not sure, but I assumed the d-- if p (not currently looking at the code) would turn the 8 into a 7.
~Derrick • iPhone
… On Oct 3, 2018, at 6:39 AM, Eddie Kohler ***@***.***> wrote:
I'm worried this isn't right. The bottom of IP6AddressArg::basic_parse has a bunch of d != 7 cases and 8 != 7.
—
You are receiving this because you authored the thread.
Reply to this email directly, view it on GitHub, or mute the thread.
|
# for free
to join this conversation on GitHub.
Already have an account?
# to comment
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.
A malformed IP6Address, i.e. with more than 8 components, will cause the
memmove/memset at the end of parsing to fail. This code is supposed to move
the post-:: bytes to the end of the address and zero out the bytes in the
center. Instead, it moves some of the bytes the wrong way, potentially
writing prior to parts[] and then zeroing with a negative size.
Instead, make the parser stop when it hits 8 components and let parse figure
out that we did not consume the entire String.
Thanks: American Fuzzy Lop
Change-Id: I2966cb22fb5b44eb9e92dfc6a94e891cf5d02fa7