From 4ccff71f678f79da71713a29d8528812379bb584 Mon Sep 17 00:00:00 2001 From: Will Storey Date: Mon, 9 Oct 2017 12:50:04 -0700 Subject: Set host to an empty string on error While investigating #317, I noticed that it was possible we would access an uninitialized buffer due to failing to check the return value of net_ip2host(). This is done in several places. To make such uses safe, set the host buffer to an empty string on error. It is possible callers could be improved by handling the error in each spot, but this gives us some safety. --- src/core/network.c | 11 ++++++++++- 1 file changed, 10 insertions(+), 1 deletion(-) (limited to 'src/core') diff --git a/src/core/network.c b/src/core/network.c index 4494dbc6..8d9c6b06 100644 --- a/src/core/network.c +++ b/src/core/network.c @@ -489,7 +489,16 @@ int net_gethostbyaddr(IPADDR *ip, char **name) int net_ip2host(IPADDR *ip, char *host) { - return inet_ntop(ip->family, &ip->ip, host, MAX_IP_LEN) ? 0 : -1; + if (inet_ntop(ip->family, &ip->ip, host, MAX_IP_LEN)) { + return 0; + } + + // For callers that do not check our return value and pass in an + // uninitialized buffer assuming it will be set, ensure the buffer is a valid + // string. Ideally callers should check what we return and handle + // appropriately, but this at least gives us safety. + host[0] = '\0'; + return -1; } int net_host2ip(const char *host, IPADDR *ip) -- cgit v1.2.3 From 174adee9dd91c23615f79b979b3b3c5f72ad1240 Mon Sep 17 00:00:00 2001 From: Will Storey Date: Tue, 10 Oct 2017 18:21:05 -0700 Subject: Always initialize the host string This also removes a wordy comment --- src/core/network.c | 10 +--------- 1 file changed, 1 insertion(+), 9 deletions(-) (limited to 'src/core') diff --git a/src/core/network.c b/src/core/network.c index 8d9c6b06..b38c9102 100644 --- a/src/core/network.c +++ b/src/core/network.c @@ -489,16 +489,8 @@ int net_gethostbyaddr(IPADDR *ip, char **name) int net_ip2host(IPADDR *ip, char *host) { - if (inet_ntop(ip->family, &ip->ip, host, MAX_IP_LEN)) { - return 0; - } - - // For callers that do not check our return value and pass in an - // uninitialized buffer assuming it will be set, ensure the buffer is a valid - // string. Ideally callers should check what we return and handle - // appropriately, but this at least gives us safety. host[0] = '\0'; - return -1; + return inet_ntop(ip->family, &ip->ip, host, MAX_IP_LEN) ? 0 : -1; } int net_host2ip(const char *host, IPADDR *ip) -- cgit v1.2.3