Module Name: src
Committed By: kre
Date: Wed Dec 7 09:52:34 UTC 2016
Modified Files:
src/lib/libc/net: linkaddr.c
Log Message:
Actually guarantee that the returned buffer from link_ntoa() is always
NUL terminated, even when called by malicious/broken applications.
To generate a diff of this commit:
cvs rdiff -u -r1.20 -r1.21 src/lib/libc/net/linkaddr.c
Please note that diffs are not public domain; they are subject to the
copyright notices on the relevant files.
Modified files:
Index: src/lib/libc/net/linkaddr.c
diff -u src/lib/libc/net/linkaddr.c:1.20 src/lib/libc/net/linkaddr.c:1.21
--- src/lib/libc/net/linkaddr.c:1.20 Wed Dec 7 03:16:45 2016
+++ src/lib/libc/net/linkaddr.c Wed Dec 7 09:52:34 2016
@@ -1,4 +1,4 @@
-/* $NetBSD: linkaddr.c,v 1.20 2016/12/07 03:16:45 christos Exp $ */
+/* $NetBSD: linkaddr.c,v 1.21 2016/12/07 09:52:34 kre Exp $ */
/*-
* Copyright (c) 1990, 1993
@@ -34,7 +34,7 @@
#if 0
static char sccsid[] = "@(#)linkaddr.c 8.1 (Berkeley) 6/4/93";
#else
-__RCSID("$NetBSD: linkaddr.c,v 1.20 2016/12/07 03:16:45 christos Exp $");
+__RCSID("$NetBSD: linkaddr.c,v 1.21 2016/12/07 09:52:34 kre Exp $");
#endif
#endif /* LIBC_SCCS and not lint */
@@ -153,6 +153,21 @@ link_ntoa(const struct sockaddr_dl *sdl)
*out++ = (ch); \
} while (/*CONSTCOND*/0)
+ /*
+ * This is not needed on the first call, as the static
+ * obuf wil be fully init'd to 0 by default. But after
+ * obuf has been returned to userspace the first time,
+ * anything may have been written to it, so, let's be safe.
+ *
+ * (An alternative method would be to make ADDC() more
+ * complex:
+ * if (out < obuf + sizeof(obuf) - ((ch) != '\0'))
+ * *out++ = (ch);
+ * so it never returns, and the final ACCD(0) always works
+ * but that evaluates 'ch' twice, and is slower, so ...)
+ */
+ obuf[sizeof(obuf) - 1] = '\0';
+
if (sdl->sdl_nlen) {
if (sdl->sdl_nlen >= sizeof(obuf))
i = sizeof(obuf) - 1;
