We get a pointer to the end of the address string (ipaddr), but the call
snprintf and pass in tmpbuf which is a pointer to the beginning of the
address string. If someone passes in an address with a scopeid then we
end up overwriting the entire address string.
Reported-by: BjÃrn JACKE <bj@xxxxxxxxx>
Signed-off-by: Jeff Layton <jlayton@xxxxxxxxx>
---
resolve_host.c | 2 +-
1 files changed, 1 insertions(+), 1 deletions(-)
diff --git a/resolve_host.c b/resolve_host.c
index 7687503..69859a3 100644
--- a/resolve_host.c
+++ b/resolve_host.c
@@ -71,7 +71,7 @@ int resolve_host(const char *host, char *addrstr)
if (sin6->sin6_scope_id) {
len = strnlen(tmpbuf, sizeof(tmpbuf));
ipaddr = tmpbuf + len;
- snprintf(tmpbuf, sizeof(tmpbuf) - len, "%%%u",
+ snprintf(ipaddr, sizeof(tmpbuf) - len, "%%%u",
sin6->sin6_scope_id);
}
break;
--
1.7.4
--
To unsubscribe from this list: send the line "unsubscribe linux-cifs" in
the body of a message to majordomo@xxxxxxxxxxxxxxx
More majordomo info at http://vger.kernel.org/majordomo-info.html
