• Marc-André Lureau's avatar
    slirp: tftp, copy sockaddr_size · 17eb587a
    Marc-André Lureau authored
    ASAN detects an "unknown-crash" when running pxe-test:
    
    /ppc64/pxe/spapr-vlan: =================================================================
    ==7143==ERROR: AddressSanitizer: unknown-crash on address 0x7f6dcd298d30 at pc 0x55e22218830d bp 0x7f6dcd2989e0 sp 0x7f6dcd2989d0
    READ of size 128 at 0x7f6dcd298d30 thread T2
        #0 0x55e22218830c in tftp_session_allocate /home/elmarco/src/qq/slirp/tftp.c:73
        #1 0x55e22218a1f8 in tftp_handle_rrq /home/elmarco/src/qq/slirp/tftp.c:289
        #2 0x55e22218b54c in tftp_input /home/elmarco/src/qq/slirp/tftp.c:446
        #3 0x55e2221833fe in udp6_input /home/elmarco/src/qq/slirp/udp6.c:82
        #4 0x55e222137b17 in ip6_input /home/elmarco/src/qq/slirp/ip6_input.c:67
    
    Address 0x7f6dcd298d30 is located in stack of thread T2 at offset 96 in frame
        #0 0x55e222182420 in udp6_input /home/elmarco/src/qq/slirp/udp6.c:13
    
      This frame has 3 object(s):
        [32, 48) '<unknown>'
        [96, 124) 'lhost' <== Memory access at offset 96 partially overflows this variable
        [160, 200) 'save_ip' <== Memory access at offset 96 partially underflows this variable
    
    The sockaddr_storage pointer is the sockaddr_in6 lhost on the
    stack. Copy only the source addr size.
    Signed-off-by: 's avatarMarc-André Lureau <marcandre.lureau@redhat.com>
    Reviewed-by: 's avatarThomas Huth <thuth@redhat.com>
    Reviewed-by: 's avatarPhilippe Mathieu-Daudé <f4bug@amsat.org>
    Signed-off-by: 's avatarSamuel Thibault <samuel.thibault@ens-lyon.org>
    17eb587a
tftp.c 11.1 KB