Bug 975721 - out of bounds buffer access in loader/net.c
out of bounds buffer access in loader/net.c
Status: CLOSED WONTFIX
Product: Fedora
Classification: Fedora
Component: anaconda (Show other bugs)
rawhide
Unspecified Unspecified
unspecified Severity unspecified
: ---
: ---
Assigned To: Anaconda Maintenance Team
Fedora Extras Quality Assurance
:
Depends On:
Blocks:
  Show dependency treegraph
 
Reported: 2013-06-19 04:23 EDT by Thomas Jarosch
Modified: 2013-06-21 05:02 EDT (History)
7 users (show)

See Also:
Fixed In Version:
Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of:
Environment:
Last Closed: 2013-06-20 21:33:45 EDT
Type: Bug
Regression: ---
Mount Type: ---
Documentation: ---
CRM:
Verified Versions:
Category: ---
oVirt Team: ---
RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: ---


Attachments (Terms of Use)

  None (edit)
Description Thomas Jarosch 2013-06-19 04:23:50 EDT
Hi,

I quickly checked anaconda with cppcheck and found the following:

[loader/net.c:983]: (error) Array 'have[2]' accessed at index 2, which is out of bounds.
[loader/net.c:992]: (error) Array 'have[2]' accessed at index 2, which is out of bounds.
[loader/net.c:1042]: (error) Array 'have[2]' accessed at index 2, which is out of bounds.
[loader/net.c:1059]: (error) Array 'have[2]' accessed at index 2, which is out of bounds.
[loader/net.c:1108]: (error) Array 'have[2]' accessed at index 2, which is out of bounds.
[loader/net.c:761]: (error) Array 'stack[2]' accessed at index 2, which is out of bounds.
[loader/net.c:844]: (error) Array 'stack[2]' accessed at index 2, which is out of bounds.
[loader/net.c:1036]: (error) Array 'stack[2]' accessed at index 2, which is out of bounds.
[loader/net.c:1108]: (error) Array 'stack[2]' accessed at index 2, which is out of bounds.
...

The problem is the address family enum in isys/iface.h which
looks like this: "enum { IPUNUSED, IPV4, IPV6 };"

-> IPV6 will probably resolve to "2" for most compilers.


How should we fix this?


cppcheck reported also a bunch of bogus code:
[loader/net.c:892] -> [loader/net.c:888]: (style) Duplicate conditions in 'if' and related 'else if'.
loader/net.c:945] -> [loader/net.c:943]: (style) Duplicate conditions in 'if' and related 'else if'.
[loader/moduleinfo.c:184] -> [loader/moduleinfo.c:182]: (style) Duplicate conditions in 'if' and related 'else if'.



Cheers,
Thomas
Comment 1 Brian Lane 2013-06-20 21:33:45 EDT
loader has been gone since f17.
Comment 2 Thomas Jarosch 2013-06-21 05:02:41 EDT
Thanks for checking.

Sorry for the noise, I didn't notice I was on my f12 branch.

Funnily the bug was fixed in 7c297f855a40daf8fd0419d4212514ac98936a0f
though the commit log does not explicitly mention the root cause of the crash :)

So RHEL6 is safe, too.

Cheers,
Thomas

Note You need to log in before you can comment on or make changes to this bug.