netbsd-bugs: lib/18049: inet_ntop() not checking dst buffer boundary correctly.

Subject: lib/18049: inet_ntop() not checking dst buffer boundary correctly.
To: None <gnats-bugs@gnats.netbsd.org>
From: None <seanb@qnx.com>
List: netbsd-bugs
Date: 08/23/2002 08:39:44

>Number:         18049
>Category:       lib
>Synopsis:       inet_ntop() not checking dst buffer boundary correctly.
>Confidential:   no
>Severity:       non-critical
>Priority:       low
>Responsible:    lib-bug-people
>State:          open
>Class:          sw-bug
>Submitter-Id:   net
>Arrival-Date:   Fri Aug 23 08:40:01 PDT 2002
>Closed-Date:
>Last-Modified:
>Originator:     Sean Boudreau
>Release:        1-5
>Organization:
QNX
>Environment:
NetBSD fili 1.5.1 NetBSD 1.5.1 (ker.xtang) #2: Mon Jul 30 09:33:07 EDT 2001     root@fili:/usr/src/sys/arch/i386/compile/ker.xtang i386
>Description:
inet_ntop() should fail with ENOSPC if supplied buffer is too short
but doesn't always.
>How-To-Repeat:
Run the following.  On the 1-5 branch actual overflow occurs.
Looks like partially fixed on head branch (moved to strlcpy())
but doesn't fail with ENOSPC as expected.

#include <sys/types.h>
#include <sys/socket.h>
#include <netinet/in.h>
#include <arpa/inet.h>
#include <stdio.h>
#include <errno.h>


int
main(void)
{
        struct in_addr inaddr;
        unsigned char buf[INET_ADDRSTRLEN];

        memset(buf, 0xff, sizeof(buf));

        inaddr.s_addr = 0xffffffff;

        /* This should fail with ENOSPACE */
        if(inet_ntop(AF_INET, &inaddr, buf, sizeof(buf) - 1) == NULL && errno == ENOSPC) {
                printf("success\n");
                return 0;
        }

        fprintf(stderr, "Failed%s.\n", buf[INET_ADDRSTRLEN - 1] != 0xff ? " with overflow" : "");
        return 1;
}
>Fix:
Return from s[n]printf doesn't include terminating NULL. So have to
account for it.

Index: inet_ntop.c
===================================================================
RCS file: /cvsroot/basesrc/lib/libc/net/inet_ntop.c,v
retrieving revision 1.11
diff -c -r1.11 inet_ntop.c
*** inet_ntop.c 2002/08/16 07:39:44     1.11
--- inet_ntop.c 2002/08/23 15:14:35
***************
*** 109,115 ****

        l = snprintf(tmp, sizeof(tmp), "%u.%u.%u.%u",
            src[0], src[1], src[2], src[3]);
!       if (l <= 0 || l > size) {
                errno = ENOSPC;
                return (NULL);
        }
--- 109,115 ----

        l = snprintf(tmp, sizeof(tmp), "%u.%u.%u.%u",
            src[0], src[1], src[2], src[3]);
!       if (l <= 0 || l >= size) {
                errno = ENOSPC;
                return (NULL);
        }


>Release-Note:
>Audit-Trail:
>Unformatted: