On Tue, 15 Feb 2011 13:31:10 -0500
Jeff Layton <jlayton@xxxxxxxxx> wrote:
> We get a pointer to the end of the address string (ipaddr), but the call
> snprintf and pass in tmpbuf which is a pointer to the beginning of the
> address string. If someone passes in an address with a scopeid then we
> end up overwriting the entire address string.
>
> Reported-by: Björn JACKE <bj@xxxxxxxxx>
> Signed-off-by: Jeff Layton <jlayton@xxxxxxxxx>
> ---
> resolve_host.c | 2 +-
> 1 files changed, 1 insertions(+), 1 deletions(-)
>
> diff --git a/resolve_host.c b/resolve_host.c
> index 7687503..69859a3 100644
> --- a/resolve_host.c
> +++ b/resolve_host.c
> @@ -71,7 +71,7 @@ int resolve_host(const char *host, char *addrstr)
> if (sin6->sin6_scope_id) {
> len = strnlen(tmpbuf, sizeof(tmpbuf));
> ipaddr = tmpbuf + len;
> - snprintf(tmpbuf, sizeof(tmpbuf) - len, "%%%u",
> + snprintf(ipaddr, sizeof(tmpbuf) - len, "%%%u",
> sin6->sin6_scope_id);
> }
> break;
Merged, should make 4.9.
--
Jeff Layton <jlayton@xxxxxxxxx>
--
To unsubscribe from this list: send the line "unsubscribe linux-cifs" in
the body of a message to majordomo@xxxxxxxxxxxxxxx
More majordomo info at http://vger.kernel.org/majordomo-info.html
