struct sockaddr overrun with ipv6 addresses

Bug #1319250 reported by Andy B on 2014-05-14
This bug affects 1 person
Affects Status Importance Assigned to Milestone

Bug Description

version 1.1.12

Complete corruption of IPv6 addresses in gearadmin --workers and log output.

Steps to reproduce:

1. start gearmand
2. on ipv6 localhost: gearadmin -h ::1 --workers
3. on ipv6 link-local: gearadmin -h fe80::a00:27ff:fe34:3379%eth0 --workers

Actual output for 2:
33 ::e8bf:8995:757f:0%33 - :
Actual output for 3:
33 fe80::e8bf:444b:657f:0%33 - :

Expected output for 2:
33 ::1 - :
Expected output for 3:
33 fe80::a00:27ff:fe34:3379%eth0 - :

This is due to struct sockaddr not being big enough to hold struct sockaddr_in6. struct sockaddr_storage is supposed to be used for this. Attached patch fixes this.

I did not observe a crash from this, but it appears that data beyond the end of the structure is being accessed (I've observed the ipv6 scope identifier being the same value as the worker offset, 33 and %33 as shown above, in every case during my research), which may be exploitable to cause a DOS.

Andy B (u-launchpad-x) wrote :
description: updated
description: updated
To post a comment you must log in.
This report contains Public information  Edit
Everyone can see this information.

Other bug subscribers