prefix_pton segfaults due to returning error message on the stack

Question

prefix_pton segfaults due to returning error message on the stack

GoogleCodeExporter opened this issue 9 years ago · 3 comments

GoogleCodeExporter commented 9 years ago

What steps will reproduce the problem?

Use prefix_pton() in a program where getaddrinfo() fails.

What is the expected output? What do you see instead?

*errmsg contains a valid error message; instead, it contains garbage

What version of the product are you using? On what operating system?

0.5, Linux x86_64

Please provide any additional information below.

See https://code.google.com/p/py-radix/source/browse/radix.c#597: save is on 
the stack, and so out of scope when prefix_pton() returns, but *errmsg = save 
returns that (now invalid) pointer to the caller.

The fix would be to format the message in a thread-local buffer rather than on 
the stack.

Original issue reported on code.google.com by tud...@gmail.com on 15 Nov 2013 at 1:40

Answer 1 · 2016-04-27T01:18:26.000Z

prefix_pton() may segfault (in rare cases) or return garbage (most of the time) 
because of reading from an out-of-scope string.

Original comment by tud...@gmail.com on 15 Nov 2013 at 1:42

Answer 2 · 2016-04-27T01:18:26.000Z

Another (simpler) fix would be to no longer prefix the error string by 
"getaddrinfo: " and just do *errmsg = gai_strerror(r).

Original comment by tud...@gmail.com on 15 Nov 2013 at 1:53

Answer 3 · 2016-04-27T01:18:26.000Z

I took the latter of your suggestions (removing the prefix). Fix committed - 
thanks!

Original comment by d...@djm.net.au on 17 Nov 2013 at 11:19

Changed state: Fixed