struct sockaddr overrun with ipv6 addresses
Affects | Status | Importance | Assigned to | Milestone | |
---|---|---|---|---|---|
Gearman |
New
|
Undecided
|
Unassigned |
Bug Description
version 1.1.12
Complete corruption of IPv6 addresses in gearadmin --workers and log output.
Steps to reproduce:
1. start gearmand
2. on ipv6 localhost: gearadmin -h ::1 --workers
3. on ipv6 link-local: gearadmin -h fe80::a00:
Actual output for 2:
33 ::e8bf:
.
Actual output for 3:
33 fe80::e8bf:
.
Expected output for 2:
33 ::1 - :
.
Expected output for 3:
33 fe80::a00:
.
This is due to struct sockaddr not being big enough to hold struct sockaddr_in6. struct sockaddr_storage is supposed to be used for this. Attached patch fixes this.
I did not observe a crash from this, but it appears that data beyond the end of the structure is being accessed (I've observed the ipv6 scope identifier being the same value as the worker offset, 33 and %33 as shown above, in every case during my research), which may be exploitable to cause a DOS.