kubsan null pointer calculations

Thu, 20 Jan 2022 06:04:48 -0800 

Hi,

snprintf(9) allows NULL pointer if size is 0.  But doing NULL pointer
arithmetic is undefined behavior.  Check that size is positive
before doing that.  While the use NUL char for string termination.

Pfkey import_flow() must do the NULL check before doing pointer
calculations.

ok?

bluhm

Index: kern/subr_prf.c
===================================================================
RCS file: /data/mirror/openbsd/cvs/src/sys/kern/subr_prf.c,v
retrieving revision 1.104
diff -u -p -r1.104 subr_prf.c
--- kern/subr_prf.c     2 Jun 2021 00:39:25 -0000       1.104
+++ kern/subr_prf.c     20 Jan 2022 13:35:34 -0000
@@ -570,14 +570,14 @@ snprintf(char *buf, size_t size, const c
        va_list ap;
        char *p;
 
-       p = buf + size - 1;
-       if (size < 1)
-               p = buf;
+       p = buf;
+       if (size > 0)
+               p += size - 1;
        va_start(ap, fmt);
        retval = kprintf(fmt, TOBUFONLY | TOCOUNT, &p, buf, ap);
        va_end(ap);
        if (size > 0)
-               *(p) = 0;       /* null terminate */
+               *p = '\0';      /* null terminate */
        return(retval);
 }
 
Index: net/pfkeyv2_convert.c
===================================================================
RCS file: /data/mirror/openbsd/cvs/src/sys/net/pfkeyv2_convert.c,v
retrieving revision 1.78
diff -u -p -r1.78 pfkeyv2_convert.c
--- net/pfkeyv2_convert.c       20 Dec 2021 15:59:09 -0000      1.78
+++ net/pfkeyv2_convert.c       20 Jan 2022 13:35:31 -0000
@@ -432,13 +432,15 @@ import_flow(struct sockaddr_encap *flow,
     struct sadb_protocol *sab, struct sadb_protocol *ftype)
 {
        u_int8_t transproto = 0;
-       union sockaddr_union *src = (union sockaddr_union *)(ssrc + 1);
-       union sockaddr_union *dst = (union sockaddr_union *)(ddst + 1);
-       union sockaddr_union *srcmask = (union sockaddr_union *)(ssrcmask + 1);
-       union sockaddr_union *dstmask = (union sockaddr_union *)(ddstmask + 1);
+       union sockaddr_union *src, *dst, *srcmask, *dstmask;
 
        if (ssrc == NULL)
                return 0; /* There wasn't any information to begin with. */
+
+       src = (union sockaddr_union *)(ssrc + 1);
+       dst = (union sockaddr_union *)(ddst + 1);
+       srcmask = (union sockaddr_union *)(ssrcmask + 1);
+       dstmask = (union sockaddr_union *)(ddstmask + 1);
 
        bzero(flow, sizeof(*flow));
        bzero(flowmask, sizeof(*flowmask));

Reply via email to