[strongSwan-dev] [PATCH] socket-default: fix use of uninitialized memory when forcing source address on outgoing packet.

Dmitry Shubin shubin at rnd.stcnet.ru
Fri Oct 30 18:09:42 CET 2015 

Hi.

I don't see any _uninitialized_ memory here. What I see, however, is 
buf[] being used (via msg.msg_control) outside the scope it is defined 
in. So, I believe, a simpler fix would be to move the buf[] definition 
to the function-level scope.

On 10/30/2015 06:42 PM, Maxime Bizon wrote:
> Depending on compiler and cflags, it could be not working at all.
>
>
> Signed-off-by: Maxime Bizon <mbizon at freebox.fr>
> ---
>   .../plugins/socket_default/socket_default_socket.c     | 18 +++++++++++-------
>   1 file changed, 11 insertions(+), 7 deletions(-)
>
> diff --git a/src/libcharon/plugins/socket_default/socket_default_socket.c b/src/libcharon/plugins/socket_default/socket_default_socket.c
> index dbfddbb..2fdfbe1 100644
> --- a/src/libcharon/plugins/socket_default/socket_default_socket.c
> +++ b/src/libcharon/plugins/socket_default/socket_default_socket.c
> @@ -418,15 +418,17 @@ METHOD(socket_t, sender, status_t,
>   #if defined(IP_PKTINFO) || defined(IP_SENDSRCADDR)
>   			struct in_addr *addr;
>   			struct sockaddr_in *sin;
> +			char *buf;
>   #ifdef IP_PKTINFO
> -			char buf[CMSG_SPACE(sizeof(struct in_pktinfo))];
> +			size_t buf_size = CMSG_SPACE(sizeof(struct in_pktinfo));
>   			struct in_pktinfo *pktinfo;
>   #elif defined(IP_SENDSRCADDR)
> -			char buf[CMSG_SPACE(sizeof(struct in_addr))];
> +			size_t buf_size = CMSG_SPACE(sizeof(struct in_addr));
>   #endif
> -			memset(buf, 0, sizeof(buf));
> +			buf = alloca(buf_size);
> +			memset(buf, 0, buf_size);
>   			msg.msg_control = buf;
> -			msg.msg_controllen = sizeof(buf);
> +			msg.msg_controllen = buf_size;
>   			cmsg = CMSG_FIRSTHDR(&msg);
>   			cmsg->cmsg_level = SOL_IP;
>   #ifdef IP_PKTINFO
> @@ -446,13 +448,15 @@ METHOD(socket_t, sender, status_t,
>   #ifdef HAVE_IN6_PKTINFO
>   		else
>   		{
> -			char buf[CMSG_SPACE(sizeof(struct in6_pktinfo))];
> +			size_t buf_size = CMSG_SPACE(sizeof(struct in6_pktinfo));
> +			char *buf;
>   			struct in6_pktinfo *pktinfo;
>   			struct sockaddr_in6 *sin;
>
> -			memset(buf, 0, sizeof(buf));
> +			buf = alloca(buf_size);
> +			memset(buf, 0, buf_size);
>   			msg.msg_control = buf;
> -			msg.msg_controllen = sizeof(buf);
> +			msg.msg_controllen = buf_size;
>   			cmsg = CMSG_FIRSTHDR(&msg);
>   			cmsg->cmsg_level = SOL_IPV6;
>   			cmsg->cmsg_type = IPV6_PKTINFO;
>

More information about the Dev mailing list