musl - Re: buffer overflow in regcomp and a way to find more of those

Follow @Openwall on Twitter for new release announcements and other news

[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list]

Message-ID: <20150321213825.GK16260@port70.net>
Date: Sat, 21 Mar 2015 22:38:25 +0100
From: Szabolcs Nagy <nsz@...t70.net>
To: Konstantin Serebryany <konstantin.s.serebryany@...il.com>,
	Rich Felker <dalias@...c.org>, musl@...ts.openwall.com
Subject: Re: buffer overflow in regcomp and a way to find more of those

* Szabolcs Nagy <nsz@...t70.net> [2015-03-21 22:03:02 +0100]:
...
> r12            0x10	16
> r13            0x7	7
> r14            0x6e2dc3	7220675
> r15            0x1	1
> rip            0x47a05b	0x47a05b <inet_pton+1307>
> eflags         0x10202	[ IF RF ]
> cs             0x33	51
> ss             0x2b	43
> ds             0x0	0
> es             0x0	0
> fs             0x63	99
> gs             0x0	0
> (gdb) p (char*)0x6e2dc3
> $3 = 0x6e2dc3 "2.8288;3:33::2.82.83333"
> (gdb) 


ah.. r14 is incremented as the string is parsed
the original string is

(gdb) p (char*)0x6e2dc3-35
$37 = 0x6e2da0 "8:a:2:8:3:28:8::2:83:20:8:2:833:23:2.8288;3:33::2.82.83333"

with this i can reproduce the crash

Confused about mailing lists and their use? Read about mailing lists on Wikipedia and check out these guidelines on proper formatting of your messages.