-
Incident report
-
Resolution: Fixed
-
Trivial
-
3.0.5rc1, 3.2.0alpha2
As Coverity rightly points out (CID 118931) there is an out-of-bounds access in iprangev6_parse().
In src/libs/zbxcommon/iprange.c:
/* iterate through address numbers (bit groups) */ for (index = 0; ptr < end && index <= 8; address = ptr + 1) { ... /* extract the range start value */ if (FAIL == is_hex_n_range(address, len, &iprange->range[index].from, 4, 0, (1 << 16) - 1)) ...
We should check for index < 8 there.
To test apply the following diff, delete main() from src/zabbix_server/server.c, compile (just --enable-server) and try to run zabbix_server. It will output "0-9".
Index: include/common.h
===================================================================
--- include/common.h (revision 61683)
+++ include/common.h (working copy)
@@ -1039,7 +1039,7 @@
typedef struct
{
- zbx_range_t range[8];
+ zbx_range_t range[9];
/* range type - ZBX_IPRANGE_V4 or ZBX_IPRANGE_V6 */
unsigned char type;
/* 1 if the range was defined with network mask, 0 otherwise */
Index: src/libs/zbxcommon/iprange.c
===================================================================
--- src/libs/zbxcommon/iprange.c (revision 61683)
+++ src/libs/zbxcommon/iprange.c (working copy)
@@ -341,6 +341,17 @@
return SUCCEED;
}
+int main(void)
+{
+ zbx_iprange_t ip_range;
+
+ iprangev6_parse(&ip_range, "0-1:0-2:0-3:0-4:0-5:0-6:0-7:0-8:0-9");
+
+ printf("%d-%d\n", ip_range.range[8].from, ip_range.range[8].to);
+
+ return 0;
+}
+
/******************************************************************************
* *
* Function: iprange_parse *