fix internal buffer overrun in inet_pton

one stop condition for parsing abbreviated ipv6 addressed was missed, allowing the internal ip[] buffer to overflow. this patch adds the missing stop condition and masks the array index so that, in case there are any remaining stop conditions missing, overflowing the buffer is not possible.
author: Rich Felker <dalias@aerifal.cx> 2015-03-23 09:44:18 -0400
committer: Rich Felker <dalias@aerifal.cx> 2015-03-23 09:44:18 -0400
commit: fc13acc3dcb5b1f215c007f583a63551f6a71363 (patch)
tree: 016f147c6e6df4d486567fdaddb572e0e31cc0e0 /src/network/inet_pton.c
parent: 7c8c86f6308c7e0816b9638465a5917b12159e8f (diff)
download: musl-fc13acc3dcb5b1f215c007f583a63551f6a71363.tar.gz
1 files changed, 3 insertions, 2 deletions
diff --git a/src/network/inet_pton.c b/src/network/inet_pton.c
index 4496b47b..d36c3689 100644
--- a/src/network/inet_pton.c
+++ b/src/network/inet_pton.c
@@ -39,14 +39,15 @@ int inet_pton(int af, const char *restrict s, void *restrict a0)
 	for (i=0; ; i++) {
 		if (s[0]==':' && brk<0) {
 			brk=i;
-			ip[i]=0;
+			ip[i&7]=0;
 			if (!*++s) break;
+			if (i==7) return 0;
 			continue;
 		}
 		for (v=j=0; j<4 && (d=hexval(s[j]))>=0; j++)
 			v=16*v+d;
 		if (j==0) return 0;
-		ip[i] = v;
+		ip[i&7] = v;
 		if (!s[j] && (brk>=0 || i==7)) break;
 		if (i==7) return 0;
 		if (s[j]!=':') {
author	Rich Felker <dalias@aerifal.cx>	2015-03-23 09:44:18 -0400
committer	Rich Felker <dalias@aerifal.cx>	2015-03-23 09:44:18 -0400
commit	fc13acc3dcb5b1f215c007f583a63551f6a71363 (patch)
tree	016f147c6e6df4d486567fdaddb572e0e31cc0e0 /src/network/inet_pton.c
parent	7c8c86f6308c7e0816b9638465a5917b12159e8f (diff)
download	musl-fc13acc3dcb5b1f215c007f583a63551f6a71363.tar.gz