From fc13acc3dcb5b1f215c007f583a63551f6a71363 Mon Sep 17 00:00:00 2001 From: Rich Felker Date: Mon, 23 Mar 2015 09:44:18 -0400 Subject: fix internal buffer overrun in inet_pton one stop condition for parsing abbreviated ipv6 addressed was missed, allowing the internal ip[] buffer to overflow. this patch adds the missing stop condition and masks the array index so that, in case there are any remaining stop conditions missing, overflowing the buffer is not possible. --- src/network/inet_pton.c | 5 +++-- 1 file changed, 3 insertions(+), 2 deletions(-) diff --git a/src/network/inet_pton.c b/src/network/inet_pton.c index 4496b47b..d36c3689 100644 --- a/src/network/inet_pton.c +++ b/src/network/inet_pton.c @@ -39,14 +39,15 @@ int inet_pton(int af, const char *restrict s, void *restrict a0) for (i=0; ; i++) { if (s[0]==':' && brk<0) { brk=i; - ip[i]=0; + ip[i&7]=0; if (!*++s) break; + if (i==7) return 0; continue; } for (v=j=0; j<4 && (d=hexval(s[j]))>=0; j++) v=16*v+d; if (j==0) return 0; - ip[i] = v; + ip[i&7] = v; if (!s[j] && (brk>=0 || i==7)) break; if (i==7) return 0; if (s[j]!=':') { -- cgit v1.2.1