Skip Menu |

This queue is for tickets about the Socket CPAN distribution.

Report information
The Basics
Id: 82119
Status: resolved
Priority: 0/
Queue: Socket
People
Owner: Nobody in particular
Requestors: RURBAN [...] cpan.org
Cc: p5p [...] perl.org
AdminCc:
Bug Information
Severity: Critical
Broken in: 2.007
Fixed in: 2.008

History Show all quoted text
  Wed Dec 19 18:04:52 2012 RURBAN [...] cpan.org - Ticket created
CC: p5p [...] perl.org
Subject: Socket inet_ntop overflow
The blead version of Socket has a similar overflow problem as RT #111594 But this time detected on darwin, not only on linux. 2.007 does not seem to have it fixed. See attached patch, detected with asan. $ valgrind perl -Mblib t/sockaddr.t ==52123== Invalid read of size 8 ==52123== at 0x8B4A2C: XS_Socket_inet_ntop (in /Users/rurban/.cpan/build/Socket-2.007- WAywC4/blib/arch/auto/Socket/Socket.bundle) -- Reini Urban
Subject: Socket-inet_ntop-overflow.patch
diff --git a/cpan/Socket/Socket.xs b/cpan/Socket/Socket.xs index 4bfaada..58837aa 100644 --- a/cpan/Socket/Socket.xs +++ b/cpan/Socket/Socket.xs @@ -934,8 +934,13 @@ inet_ntop(af, ip_address_sv) #endif "Socket::inet_ntop", af); } - - Copy(ip_address, &addr, sizeof addr, char); + if (addrlen < sizeof(addr)) { + Copy(ip_address, &addr, addrlen, char); + Zero(&addr+addrlen, sizeof(addr)-addrlen, char); + } + else { + Copy(ip_address, &addr, sizeof addr, char); + } inet_ntop(af, &addr, str, sizeof str); ST(0) = sv_2mortal(newSVpvn(str, strlen(str)));
  Thu Dec 27 10:38:21 2012 leonerd-cpan [...] leonerd.org.uk - Correspondence added
On Wed Dec 19 18:04:52 2012, RURBAN wrote: Show quoted text
> See attached patch, detected with asan. > $ valgrind perl -Mblib t/sockaddr.t
Applied, with some fix. Didn't work as given, due to the fact that &addr + addrlen is well past the structure; it caused glibc stack smash attack detection. Fixed with ((char*)&addr) + addrlen Find attached. Will be in 2.008. -- Paul Evans
Subject: rt82119.patch
=== modified file 'Socket.xs' --- Socket.xs 2012-12-17 22:52:32 +0000 +++ Socket.xs 2012-12-27 15:35:59 +0000 @@ -895,7 +895,7 @@ SV * ip_address_sv CODE: #ifdef HAS_INETNTOP - STRLEN addrlen, struct_size; + STRLEN addrlen; #ifdef AF_INET6 struct in6_addr addr; char str[INET6_ADDRSTRLEN]; @@ -910,8 +910,6 @@ ip_address = SvPV(ip_address_sv, addrlen); - struct_size = sizeof(addr); - switch(af) { case AF_INET: if(addrlen != 4) @@ -935,7 +933,13 @@ "Socket::inet_ntop", af); } - Copy(ip_address, &addr, sizeof addr, char); + if(addrlen < sizeof(addr)) { + Copy(ip_address, &addr, addrlen, char); + Zero(((char*)&addr) + addrlen, sizeof(addr) - addrlen, char); + } + else { + Copy(ip_address, &addr, sizeof addr, char); + } inet_ntop(af, &addr, str, sizeof str); ST(0) = sv_2mortal(newSVpvn(str, strlen(str)));
  Thu Dec 27 10:38:23 2012 The RT System itself - Status changed from 'new' to 'open'
  Thu Dec 27 10:38:23 2012 leonerd-cpan [...] leonerd.org.uk - Status changed from 'open' to 'patched'
  Sun Jan 06 20:45:25 2013 leonerd-cpan [...] leonerd.org.uk - Status changed from 'patched' to 'resolved'
  Sun Jan 06 20:45:26 2013 leonerd-cpan [...] leonerd.org.uk - Fixed in 2.008 added