From: Rich Felker <dalias@aerifal.cx>
Date: Mon, 23 Mar 2015 13:44:18 +0000 (-0400)
Subject: fix internal buffer overrun in inet_pton
X-Git-Url: http://nsz.repo.hu/git/?a=commitdiff_plain;h=fc13acc3dcb5b1f215c007f583a63551f6a71363;p=musl

fix internal buffer overrun in inet_pton

one stop condition for parsing abbreviated ipv6 addressed was missed,
allowing the internal ip[] buffer to overflow. this patch adds the
missing stop condition and masks the array index so that, in case
there are any remaining stop conditions missing, overflowing the
buffer is not possible.
---

diff --git a/src/network/inet_pton.c b/src/network/inet_pton.c
index 4496b47b..d36c3689 100644
--- a/src/network/inet_pton.c
+++ b/src/network/inet_pton.c
@@ -39,14 +39,15 @@ int inet_pton(int af, const char *restrict s, void *restrict a0)
 	for (i=0; ; i++) {
 		if (s[0]==':' && brk<0) {
 			brk=i;
-			ip[i]=0;
+			ip[i&7]=0;
 			if (!*++s) break;
+			if (i==7) return 0;
 			continue;
 		}
 		for (v=j=0; j<4 && (d=hexval(s[j]))>=0; j++)
 			v=16*v+d;
 		if (j==0) return 0;
-		ip[i] = v;
+		ip[i&7] = v;
 		if (!s[j] && (brk>=0 || i==7)) break;
 		if (i==7) return 0;
 		if (s[j]!=':') {