[systemd-commits] 2 commits - src/libsystemd-network

Sat Aug 30 15:42:47 PDT 2014

src/libsystemd-network/sd-dhcp6-client.c   |    5 ++++-
 src/libsystemd-network/test-dhcp6-client.c |    4 ++--
 2 files changed, 6 insertions(+), 3 deletions(-)

New commits:
commit 44481a8b537839cd9ffead4d261491641f5b5260
Author: Zbigniew JÄ™drzejewski-Szmek <zbyszek at in.waw.pl>
Date:   Sat Aug 30 18:31:21 2014 -0400

    sd-dhcp6-client: properly calculate buffer size when parsing options
    
    Also make pointer calculations more explicit so they are
    easier to understand.

diff --git a/src/libsystemd-network/sd-dhcp6-client.c b/src/libsystemd-network/sd-dhcp6-client.c
index 342a231..6860c66 100644
--- a/src/libsystemd-network/sd-dhcp6-client.c
+++ b/src/libsystemd-network/sd-dhcp6-client.c
@@ -583,12 +583,15 @@ static int client_parse_message(sd_dhcp6_client *client,
                                 DHCP6Message *message, size_t len,
                                 sd_dhcp6_lease *lease) {
         int r;
-        uint8_t *optval, *option = (uint8_t *)(message + 1), *id = NULL;
+        uint8_t *optval, *option, *id = NULL;
         uint16_t optcode, status;
         size_t optlen, id_len;
         bool clientid = false;
         be32_t iaid_lease;
 
+        option = (uint8_t *)message + sizeof(DHCP6Message);
+        len -= sizeof(DHCP6Message);
+
         while ((r = dhcp6_option_parse(&option, &len, &optcode, &optlen,
                                        &optval)) >= 0) {
                 switch (optcode) {
diff --git a/src/libsystemd-network/test-dhcp6-client.c b/src/libsystemd-network/test-dhcp6-client.c
index 259db33..d102a79 100644
--- a/src/libsystemd-network/test-dhcp6-client.c
+++ b/src/libsystemd-network/test-dhcp6-client.c
@@ -205,7 +205,7 @@ static uint8_t msg_reply[173] = {
 static int test_advertise_option(sd_event *e) {
         _cleanup_dhcp6_lease_free_ sd_dhcp6_lease *lease = NULL;
         DHCP6Message *advertise = (DHCP6Message *)msg_advertise;
-        uint8_t *optval, *opt = &msg_advertise[sizeof(DHCP6Message)];
+        uint8_t *optval, *opt = msg_advertise + sizeof(DHCP6Message);
         uint16_t optcode;
         size_t optlen, len = sizeof(msg_advertise) - sizeof(DHCP6Message);
         be32_t val;

commit d182960ae974a0074010a058d0d909846a2f3f79
Author: Patrik Flykt <patrik.flykt at linux.intel.com>
Date:   Fri Aug 29 09:20:46 2014 +0300

    test-dhcp6-client: Fix option length
    
    The whole DHCPv6 test message length was incorrectly used as the length
    of DHCPv6 options causing the following bad memory access:
    
    $ build/test-dhcp6-client
    Assertion 'interface_index >= -1' failed at ../src/libsystemd-network/sd-dhcp6-client.c:129, function sd_dhcp6_client_set_index(). Ignoring.
    =================================================================
    ==29135==ERROR: AddressSanitizer: global-buffer-overflow on address 0x7fe204aa9148 at pc 0x7fe204a5958f bp 0x7fff3e47d470 sp 0x7fff3e47d460
    READ of size 1 at 0x7fe204aa9148 thread T0
        #0 0x7fe204a5958e in option_parse_hdr ../src/libsystemd-network/dhcp6-option.c:145
        #1 0x7fe204a59884 in dhcp6_option_parse ../src/libsystemd-network/dhcp6-option.c:165
        #2 0x7fe204a4eb9c in test_advertise_option ../src/libsystemd-network/test-dhcp6-client.c:227
        #3 0x7fe204a51c58 in main ../src/libsystemd-network/test-dhcp6-client.c:584
        #4 0x7fe2031590df in __libc_start_main (/lib64/libc.so.6+0x200df)
        #5 0x7fe204a4cc5b (/home/test/systemd/build/test-dhcp6-client+0x25c5b)
    
    0x7fe204aa9148 is located 2 bytes to the right of global variable 'msg_advertise' from '../src/libsystemd-network/test-dhcp6-client.c' (0x7fe204aa9080) of size 198
    0x7fe204aa9148 is located 56 bytes to the left of global variable 'msg_reply' from '../src/libsystemd-network/test-dhcp6-client.c' (0x7fe204aa9180) of size 173
    SUMMARY: AddressSanitizer: global-buffer-overflow ../src/libsystemd-network/dhcp6-option.c:145 option_parse_hdr

diff --git a/src/libsystemd-network/test-dhcp6-client.c b/src/libsystemd-network/test-dhcp6-client.c
index 96c68e1..259db33 100644
--- a/src/libsystemd-network/test-dhcp6-client.c
+++ b/src/libsystemd-network/test-dhcp6-client.c
@@ -207,7 +207,7 @@ static int test_advertise_option(sd_event *e) {
         DHCP6Message *advertise = (DHCP6Message *)msg_advertise;
         uint8_t *optval, *opt = &msg_advertise[sizeof(DHCP6Message)];
         uint16_t optcode;
-        size_t optlen, len = sizeof(msg_advertise);
+        size_t optlen, len = sizeof(msg_advertise) - sizeof(DHCP6Message);
         be32_t val;
         uint8_t preference = 255;
         struct in6_addr addr;

