On 22 February 2011 05:54, Tommie Gannert <tommie_at_spotify.com> wrote:
> On 02/14/2011 08:10 PM, Dima Tisnek wrote:
>>
>> Sure, here it is:
>>
>> diff --git a/ares_init.c b/ares_init.c
>> index d2f4a72..62e09b4 100644
>> --- a/ares_init.c
>> +++ b/ares_init.c
>> @@ -1292,7 +1292,7 @@ static int config_sortlist(struct apattern
>> **sortlist, int *nsort,
>> if (!sortlist_alloc(sortlist, nsort,&pat))
>> return ARES_ENOMEM;
>> }
>> - if (ipbufpfx[0]&&
>> + else if (ipbufpfx[0]&&
>> (bits = ares_inet_net_pton(AF_INET, ipbufpfx,&pat.addrV4,
>> sizeof(pat.addrV4)))> 0)
>> {
>
> I agree it sounds reasonable only one of the branches in the loop
> is executed. It's probably not an issue in practice as something can't
> be parsed as both IPv6 and IPv4 (right?)
>
> --
> Tommie Gannert
>
my primary concern is that 2nd call to ares_inet_net_pton calls
inet_net_pton_ipv4 which can clobber pat, as v4 and v6 are a union in
pat. that could happen in v6 parsed correctly and started with decimal
digits only, that is 12<....> can be a part of 12:ab::0 as well as
12.34.0.0; the way I see it ipv4 code would eat 12, store 1 byte to
dst and only then notice that next char is not a dot.
d.
Received on 2011-02-22