[prev in list] [next in list] [prev in thread] [next in thread] 

List:       keepalived-devel
Subject:    [Keepalived-devel] Buffer overrun in vrrp_vmac code
From:       "Ryan O'Hara" <rohara () redhat ! com>
Date:       2014-01-15 20:59:27
Message-ID: 20140115205927.GD17788 () redhat ! com
[Download RAW message or body]


While trying to track down a potential buffer overrun problem in
vrrp_vmac.c, I begin studying some of the rtnetlink code. There are a
few places where rta_len is set that seem wrong and possibly
unnecessary. For example:

linkinfo->rta_len = (void *)NLMSG_TAIL(&req.n) - (void *)linkinfo;

First, this pointer arithmetic seems strange. After looking at
addattr_l code in vrrp_netlink.c, it seems rta_len is being set there
which causes me to wonder why rta_len is modified as show above. I'm
happy to patch this but I'd appreciate feedback.

Ryan


------------------------------------------------------------------------------
CenturyLink Cloud: The Leader in Enterprise Cloud Services.
Learn Why More Businesses Are Choosing CenturyLink Cloud For
Critical Workloads, Development Environments & Everything In Between.
Get a Quote or Start a Free Trial Today. 
http://pubads.g.doubleclick.net/gampad/clk?id=119420431&iu=/4140/ostg.clktrk
_______________________________________________
Keepalived-devel mailing list
Keepalived-devel@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/keepalived-devel
[prev in list] [next in list] [prev in thread] [next in thread]