Re: [HACKERS] Open 6.4 items

Tom Ivar Helbekkmo <tih(at)nhh(dot)no> writes:
> Now I'm explicitly asking for at least one byte more than I need, and
> I'm pretty damn sure that I never touch that extra byte, but something
> seems to, since the problem goes away. It's arrogant of me, I know,
> but barring a complete misunderstanding on my part of how variable
> size records work (or a stupid bug that I've been staring at for hours
> without seeing, of course), I'd say that something outside my code is
> at fault. Any ideas as to how to try to find out?

Well, I hate to ruin your day, but coming pre-armed with the knowledge
that the code is writing one byte too many, it's pretty obvious that the
first loop in inet_net_pton_ipv4 does indeed do that. Specifically at
else if (size-- > 0)
*++dst = 0, dirty = 0;
where, when size (the number of remaining destination bytes) is reduced
to 0, the code nonetheless advances dst and clears the next byte.
The loop logic is fundamentally faulty: you can't check for emsgsize
overflow until you get a digit that is supposed to go into another byte.
I'd try something like

tmp = 0;
ndigits = 0; // ndigits is # of hex digits seen for cur byte
while (ch = next hex digit)
{
n = numeric equivalent of ch;
assert(n >= 0 && n <= 15);
tmp = (tmp << 4) | n;
if (++ndigits == 2)
{
if (size-- <= 0)
goto emsgsize;
*dst++ = (u_char) tmp;
tmp = 0, ndigits = 0;
}
}
if (ndigits)
goto enoent; // odd number of hex digits is bogus

BTW, shouldn't this routine clear out all "size" bytes of the
destination, even if the given data doesn't fill it all? A memset
at the top might be worthwhile.

regards, tom lane