lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  PHC 
Open Source and information security mailing list archives
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [thread-next>] [day] [month] [year] [list]
Date:	Fri, 12 Feb 2016 14:47:39 +0100
From:	Nicolas Cavallari <>
Subject: [PATCH iproute2] netns: Fix an off-by-one strcpy() in netns_map_add().

netns_map_add() does a malloc of (sizeof (struct nsid_cache) +
strlen(name)) and then proceed with strcpy() of name into the
zero-length member at the end of the nsid_cache structure.  The
nul-terminator is written outside of the allocated memory and may
overwrite the allocator's internal structure.

This can trigger a segmentation fault on i386 uclibc with names of size 8:
after the corruption occurs, the call to closedir() on netns_map_init()
crashes while freeing the DIR structure.

Here is the relevant valgrind output:

==1251== Memcheck, a memory error detector
==1251== Copyright (C) 2002-2015, and GNU GPL'd, by Julian Seward et al.
==1251== Using Valgrind-3.11.0 and LibVEX; rerun with -h for copyright
==1251== Command: ./ip netns
==1251== Invalid write of size 1
==1251==    at 0x4011975: strcpy (in
==1251==    by 0x8058B00: netns_map_add (ipnetns.c:181)
==1251==    by 0x8058E2A: netns_map_init (ipnetns.c:226)
==1251==    by 0x8058E79: do_netns (ipnetns.c:776)
==1251==    by 0x804D9FF: do_cmd (ip.c:110)
==1251==    by 0x804D814: main (ip.c:300)
 ip/ipnetns.c | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/ip/ipnetns.c b/ip/ipnetns.c
index 088096f..4ce5989 100644
--- a/ip/ipnetns.c
+++ b/ip/ipnetns.c
@@ -172,7 +172,7 @@ static int netns_map_add(int nsid, const char *name)
 	if (netns_map_get_by_nsid(nsid) != NULL)
 		return -EEXIST;
-	c = malloc(sizeof(*c) + strlen(name));
+	c = malloc(sizeof(*c) + strlen(name) + 1);
 	if (c == NULL) {
 		return -ENOMEM;

Powered by blists - more mailing lists