From: Sage Weil <sage@inktank.com>
Date: Sun, 17 Jun 2012 03:09:04 +0000 (-0700)
Subject: msg: fix buffer overflow in ipv6 addr parsing
X-Git-Tag: v0.48argonaut~51
X-Git-Url: http://git.apps.os.sepia.ceph.com/?a=commitdiff_plain;h=5efaa8d7799347dfae38333b1fd6e1a87dc76b28;p=ceph.git

msg: fix buffer overflow in ipv6 addr parsing

Noticed because of failing i386 unit tests for long addrs; x86_64 passed
fine.  Sigh.  FTR, the failing address was

	2001:0db8:85a3:0000:0000:8a2e:0370:7334

Sadly the full length addrs don't turn it up on x86_64, still, nor does
valgrind notice.  But, this fixes it on i386.

Signed-off-by: Sage Weil <sage@inktank.com>
---

diff --git a/src/msg/msg_types.cc b/src/msg/msg_types.cc
index 676adbab9c27f..5c22dc8d66433 100644
--- a/src/msg/msg_types.cc
+++ b/src/msg/msg_types.cc
@@ -69,7 +69,7 @@ bool entity_addr_t::parse(const char *s, const char **end)
   }
   *o = 0;
 
-  char buf6[39];
+  char buf6[64];  // actually 39 + null is sufficient.
   o = buf6;
   p = start;
   while (o < buf6 + sizeof(buf6) &&
diff --git a/src/test/test_addrs.cc b/src/test/test_addrs.cc
index d7a693255c369..8cb3d4d7ab969 100644
--- a/src/test/test_addrs.cc
+++ b/src/test/test_addrs.cc
@@ -32,6 +32,7 @@ const char *addr_checks[][3] = {
   { "[2607:f298:4:2243::5522]a", "[2607:f298:4:2243::5522]:0/0", "a" },
   { "[2607:f298:4:2243::5522]:1234a", "[2607:f298:4:2243::5522]:1234/0", "a" },
   { "2001:0db8:85a3:0000:0000:8a2e:0370:7334", "[2001:db8:85a3::8a2e:370:7334]:0/0", "" },
+  { "2001:2db8:85a3:4334:4324:8a2e:1370:7334", "[2001:2db8:85a3:4334:4324:8a2e:1370:7334]:0/0", "" },
   { "::", "[::]:0/0", "" },
   { "::zz", "[::]:0/0", "zz" },
   { ":: 12:34", "[::]:0/0", " 12:34" },