1 files changed, 46 insertions, 0 deletions

diff --git a/fix_overlapping_buffers.patch b/fix_overlapping_buffers.patch
new file mode 100644
index 000000000000..44706131c410
--- /dev/null
+++ b/fix_overlapping_buffers.patch
@@ -0,0 +1,46 @@
+Fix overlapping buffers passed to strncpy which is UB. format_host_rta_r writes
+to the buffer passed to it, so hostname (derived from b1) & b1 partly overlap.
+
+This gets worse with sys-libs/glibc-2.37 where the ip route output can be truncated,
+but it was UB anyway and you can see it occurring w/ glibc-2.36.
+
+Bug: https://lore.kernel.org/netdev/0011AC38-4823-4D0A-8580-B108D08959C2@gentoo.org/T/#u
+Bug: https://sourceware.org/bugzilla/show_bug.cgi?id=30112
+Thanks-to: Doug Freed <dwfreed@mtu.edu>
+Signed-off-by: Sam James <sam@gentoo.org>
+---
+ ip/iproute.c | 5 +++--
+ 1 file changed, 3 insertions(+), 2 deletions(-)
+
+diff --git a/ip/iproute.c b/ip/iproute.c
+index 0bab0fdf..a7cd9543 100644
+--- a/ip/iproute.c
++++ b/ip/iproute.c
+@@ -748,6 +748,7 @@ int print_route(struct nlmsghdr *n, void *arg)
+ 	int ret;
+
+ 	SPRINT_BUF(b1);
++	SPRINT_BUF(b2);
+
+ 	if (n->nlmsg_type != RTM_NEWROUTE && n->nlmsg_type != RTM_DELROUTE) {
+ 		fprintf(stderr, "Not a route: %08x %08x %08x\n",
+@@ -809,7 +810,7 @@ int print_route(struct nlmsghdr *n, void *arg)
+ 				 r->rtm_dst_len);
+ 		} else {
+ 			const char *hostname = format_host_rta_r(family, tb[RTA_DST],
+-					  b1, sizeof(b1));
++					  b2, sizeof(b2));
+ 			if (hostname)
+ 				strncpy(b1, hostname, sizeof(b1) - 1);
+ 		}
+@@ -832,7 +833,7 @@ int print_route(struct nlmsghdr *n, void *arg)
+ 				 r->rtm_src_len);
+ 		} else {
+ 			const char *hostname = format_host_rta_r(family, tb[RTA_SRC],
+-					  b1, sizeof(b1));
++					  b2, sizeof(b2));
+ 			if (hostname)
+ 				strncpy(b1, hostname, sizeof(b1) - 1);
+ 		}
+--
+2.39.1