From 2104847a26d384bb50d474a108c3997c453d5a3d Mon Sep 17 00:00:00 2001
From: Ken Raeburn <raeburn@mit.edu>
Date: Wed, 6 Oct 2004 23:39:12 +0000
Subject: [PATCH] * localaddr.c (foreach_localaddr): Be more careful not to
 walk past the end of the ifreq array. (get_ifreq_array): Return 0 in success
 case, not errno.

git-svn-id: svn://anonsvn.mit.edu/krb5/trunk@16808 dc483132-0cff-0310-8789-dd5450dbe970
---
 src/lib/krb5/os/ChangeLog   |  4 ++++
 src/lib/krb5/os/localaddr.c | 15 +++++++++------
 2 files changed, 13 insertions(+), 6 deletions(-)

diff --git a/src/lib/krb5/os/ChangeLog b/src/lib/krb5/os/ChangeLog
index a560ac959..1258c9151 100644
--- a/src/lib/krb5/os/ChangeLog
+++ b/src/lib/krb5/os/ChangeLog
@@ -1,5 +1,9 @@
 2004-10-06  Ken Raeburn  <raeburn@mit.edu>
 
+	* localaddr.c (foreach_localaddr): Be more careful not to walk
+	past the end of the ifreq array.
+	(get_ifreq_array): Return 0 in success case, not errno.
+
 	* localaddr.c (get_ifreq_array): Split out from foreach_localaddr
 	general version.
 	(foreach_localaddr): Call it.
diff --git a/src/lib/krb5/os/localaddr.c b/src/lib/krb5/os/localaddr.c
index 389a7781e..91324660b 100644
--- a/src/lib/krb5/os/localaddr.c
+++ b/src/lib/krb5/os/localaddr.c
@@ -568,7 +568,7 @@ foreach_localaddr (/*@null@*/ void *data,
 	    goto punt;
 	}
 
-	for (i = 0; i < P.buf_size; i+= sizeof (*lifr)) {
+	for (i = 0; i + sizeof(*lifr) <= P.buf_size; i+= sizeof (*lifr)) {
 	    lifr = (struct lifreq *)((caddr_t) P.buf+i);
 
 	    strncpy(lifreq.lifr_name, lifr->lifr_name,
@@ -637,7 +637,7 @@ have_working_socket:
     if (pass2fn)
 	FOREACH_AF ()
 	    if (P.sock >= 0) {
-		for (i = 0; i < P.buf_size; i+= sizeof (*lifr)) {
+		for (i = 0; i + sizeof (*lifr) <= P.buf_size; i+= sizeof (*lifr)) {
 		    lifr = (struct lifreq *)((caddr_t) P.buf+i);
 
 		    if (lifr->lifr_name[0] == '\0')
@@ -740,7 +740,7 @@ foreach_localaddr (/*@null@*/ void *data,
 	    goto punt;
 	}
 
-	for (i = 0; i < P.buf_size; i+= sizeof (*lifr)) {
+	for (i = 0; i + sizeof(*lifr) <= P.buf_size; i+= sizeof (*lifr)) {
 	    lifr = (struct if_laddrreq *)((caddr_t) P.buf+i);
 
 	    strncpy(lifreq.iflr_name, lifr->iflr_name,
@@ -809,7 +809,7 @@ have_working_socket:
     if (pass2fn)
 	FOREACH_AF ()
 	    if (P.sock >= 0) {
-		for (i = 0; i < P.buf_size; i+= sizeof (*lifr)) {
+		for (i = 0; i + sizeof(*lifr) <= P.buf_size; i+= sizeof (*lifr)) {
 		    lifr = (struct if_laddrreq *)((caddr_t) P.buf+i);
 
 		    if (lifr->iflr_name[0] == '\0')
@@ -914,7 +914,7 @@ ask_again:
 
     *bufp = buf;
     *np = n;
-    return errno;
+    return 0;
 }
 
 int
@@ -955,8 +955,11 @@ foreach_localaddr (/*@null@*/ void *data,
        The Samba mailing list archives mention that NTP looks for the
        size on these systems: *-fujitsu-uxp* *-ncr-sysv4*
        *-univel-sysv*.  */
-    for (i = 0; i < n; i+= ifreq_size(*ifr) ) {
+    for (i = 0; i + sizeof(struct ifreq) < n; i+= ifreq_size(*ifr) ) {
 	ifr = (struct ifreq *)((caddr_t) buf+i);
+	/* In case ifreq_size is more than sizeof().  */
+	if (i + ifreq_size(*ifr) >= n)
+	  break;
 
 	strncpy(ifreq.ifr_name, ifr->ifr_name, sizeof (ifreq.ifr_name));
 	Tprintf (("interface %s\n", ifreq.ifr_name));
-- 
2.26.2