On Sat, May 17, 2014 at 02:18:22PM -0400, Ted Unangst wrote: > On Sat, May 17, 2014 at 11:00, enh wrote: > > inet_ntop4 incorrectly mixes a user-supplied size with a self-supplied > > buffer: > > > > inet_ntop4(const u_char *src, char *dst, size_t size) > > ... > > char tmp[sizeof "255.255.255.255"]; > > ... > > l = snprintf(tmp, size, fmt, src[0], src[1], src[2], src[3]); > > > > so if i call inet_ntop(AF_INET, ... with a size larger than > > INET_ADDRSTRLEN it'll overflow. > > Thanks. I don't really understand the purpose of the tmp when it > could just print into the buf directly, but I've left that alone for now.
The code certainly doesn't conform to the snprintf(buf, sizeof(buf), ...) idiom. But the size argument for snprintf is a maximum and the format string is not user-supplied so I don't see how to make inet_ntop write more bytes than sizeof(tmp). Is it possible?
