Red Hat issue 1022063: out-of-range shifts on net mask bits

This commit is contained in:
Gerhard Rieger 2014-01-21 19:26:14 +01:00
parent 2e17542be7
commit 04ad6d5275
4 changed files with 85 additions and 11 deletions

View file

@ -30,6 +30,8 @@ corrections:
On big endian platforms with type long >32bit the range option applied a
bad base address. Thanks to hejia hejia for reporting and fixing this bug.
Red Hat issue 1022063: out-of-range shifts on net mask bits
Red Hat issue 1022062: strcpy misuse in xiosetsockaddrenv_ip4()
Red Hat issue 1022048: strncpy hardening: corrected suspicious strncpy()

49
test.sh
View file

@ -11249,6 +11249,55 @@ PORT=$((PORT+1))
N=$((N+1))
# socat up to version 1.7.2.3
# had a bug that converted a bit mask of 0 internally to 0xffffffff
NAME=TCP4RANGE_0BITS
case "$TESTS" in
*%functions%*|*%tcp%*|*%tcp4%*|*%ip4%*|*%range%*|*%$NAME%*)
TEST="$NAME: correct evaluation of range mask 0"
if ! eval $NUMCOND; then :;
elif [ -z "$SECONDADDR" ]; then
# we need access to a second addresses
$PRINTF "test $F_n $TEST... ${YELLOW}need a second IPv4 address${NORMAL}\n" $N
numCANT=$((numCANT+1))
else
tf="$td/test$N.stdout"
tdiff="$td/test$N.diff"
da="test$N $(date) $RANDOM"
#testserversec "$N" "$TEST" "$opts -s" "tcp4-l:$PORT,reuseaddr,fork,retry=1" "" "range=$SECONDADDR/32" "tcp4:127.0.0.1:$PORT" 4 tcp $PORT 0
CMD0="$SOCAT $opts TCP4-LISTEN:$PORT,reuseaddr,range=127.0.0.1/0 CREATE:$tf"
CMD1="$SOCAT $opts - TCP4-CONNECT:$SECONDADDR:$PORT,bind=$SECONDADDR"
printf "test $F_n $TEST... " $N
$CMD0 2>"${te}0" &
pid0=$!
waittcp4port $PORT 1
echo "$da" |$CMD1 >"${tf}1" 2>"${te}1"
rc1=$?
kill $pid0 2>/dev/null; wait
if [ $rc1 != 0 ]; then
$PRINTF "${YELLOW}invocation failed${NORMAL}\n"
numCANT=$((numCANT+1))
elif ! [ -f "$tf" ]; then
$PRINTF "$FAILED\n"
echo "$CMD0 &"
echo "$CMD1"
cat "${te}0"
cat "${te}1"
numFAIL=$((numFAIL+1))
elif ! echo "$da" |diff - "$tf" >"$tdiff"; then
$PRINTF "${YELLOW}diff failed${NORMAL}\n"
numCANT=$((numCANT+1))
else
$PRINTF "$OK\n"
numOK=$((numOK+1))
fi
fi ;; # $SECONDADDR, NUMCOND
esac
PORT=$((PORT+1))
N=$((N+1))
###############################################################################
# here come tests that might affect your systems integrity. Put normal tests
# before this paragraph.

View file

@ -20,7 +20,7 @@ int xioparsenetwork_ip4(const char *rangename, struct xiorange *range) {
struct in_addr *netmask_in = &range->netmask.ip4.sin_addr;
char *rangename1; /* a copy of rangename with writing allowed */
char *delimpos; /* absolute address of delimiter */
int bits;
unsigned int bits; /* netmask bits */
if ((rangename1 = strdup(rangename)) == NULL) {
Error1("strdup(\"%s\"): out of memory", rangename);
@ -28,8 +28,20 @@ int xioparsenetwork_ip4(const char *rangename, struct xiorange *range) {
}
if (delimpos = strchr(rangename1, '/')) {
bits = strtoul(delimpos+1, NULL, 10);
netmask_in->s_addr = htonl((0xffffffff << (32-bits)));
char *endptr;
bits = strtoul(delimpos+1, &endptr, 10);
if (! ((*(delimpos+1) != '\0') && (*endptr == '\0'))) {
Error1("not a valid netmask in \"%s\"", rangename);
bits = 32; /* most secure selection */
} else if (bits > 32) {
Error1("netmask \"%s\" is too large", rangename);
bits = 32;
}
if (bits <= 0) {
netmask_in->s_addr = 0;
} else {
netmask_in->s_addr = htonl((0xffffffff << (32-bits)));
}
} else if (delimpos = strchr(rangename1, ':')) {
if ((maskaddr = Gethostbyname(delimpos+1)) == NULL) {
/* note: cast is req on AIX: */

View file

@ -78,7 +78,8 @@ const struct optdesc opt_ipv6_recvpathmtu = { "ipv6-recvpathmtu", "recvpathmtu",
int xioparsenetwork_ip6(const char *rangename, struct xiorange *range) {
char *delimpos; /* absolute address of delimiter */
size_t delimind; /* index of delimiter in string */
int bits;
unsigned int bits; /* netmask bits */
char *endptr;
char *baseaddr;
union sockaddr_union sockaddr;
socklen_t sockaddrlen = sizeof(sockaddr);
@ -112,22 +113,32 @@ int xioparsenetwork_ip6(const char *rangename, struct xiorange *range) {
rangeaddr->u6_addr32[1] = nameaddr->u6_addr32[1];
rangeaddr->u6_addr32[2] = nameaddr->u6_addr32[2];
rangeaddr->u6_addr32[3] = nameaddr->u6_addr32[3];
bits = strtoul(delimpos+1, NULL, 10);
if (bits > 128) {
Error1("invalid number of mask bits %u", bits);
return STAT_NORETRY;
bits = strtoul(delimpos+1, &endptr, 10);
if (! ((*(delimpos+1) != '\0') && (*endptr == '\0'))) {
Error1("not a valid netmask in \"%s\"", rangename);
bits = 128; /* most secure selection */
} else if (bits > 128) {
Error1("netmask \"%s\" is too large", rangename);
bits = 128;
}
if (bits < 32) {
/* I am starting to dislike C...uint32_t << 32 is undefined... */
if (bits == 0) {
rangemask->u6_addr32[0] = 0;
rangemask->u6_addr32[1] = 0;
rangemask->u6_addr32[2] = 0;
rangemask->u6_addr32[3] = 0;
} else if (bits <= 32) {
rangemask->u6_addr32[0] = htonl(0xffffffff << (32-bits));
rangemask->u6_addr32[1] = 0;
rangemask->u6_addr32[2] = 0;
rangemask->u6_addr32[3] = 0;
} else if (bits < 64) {
} else if (bits <= 64) {
rangemask->u6_addr32[0] = 0xffffffff;
rangemask->u6_addr32[1] = htonl(0xffffffff << (64-bits));
rangemask->u6_addr32[2] = 0;
rangemask->u6_addr32[3] = 0;
} else if (bits < 96) {
} else if (bits <= 96) {
rangemask->u6_addr32[0] = 0xffffffff;
rangemask->u6_addr32[1] = 0xffffffff;
rangemask->u6_addr32[2] = htonl(0xffffffff << (96-bits));