about summary refs log tree commit diff
path: root/inet
diff options
context:
space:
mode:
authorMike Frysinger <vapier@gentoo.org>2012-04-12 11:18:39 -0400
committerMike Frysinger <vapier@gentoo.org>2012-05-08 01:51:22 -0400
commitabb66a672f5575a328d05c0790403af673d0f76c (patch)
tree44834ee4c7ebbecdf5aab4eb8e1f95668d3c36f6 /inet
parent05760585e0f74222d531dc9bb72d39d028857312 (diff)
downloadglibc-abb66a672f5575a328d05c0790403af673d0f76c.tar.gz
glibc-abb66a672f5575a328d05c0790403af673d0f76c.tar.xz
glibc-abb66a672f5575a328d05c0790403af673d0f76c.zip
tftp.h: rework layout to work with fortification
The current tftp structure does not work when fortification is enabled.
Starting with gcc-4.5, more size checking was added to trigger these.
Older versions just didn't have enough information, so they returned -1
as the sizes.

First, the tu_stuff field is declared as 1 byte (when it's really an
arbitrary length C string), so attempting to strcpy() with it results
in crashes.  This fails with _FORTIFY_SOURCE=1.

Second, even if we change that to [0] (since gcc does not allow flexible
array members in an union), gcc is not smart enough to see that they are
two overlapping flexible arrays (tu_stuff and tu_data), so it will still
trigger an abort with _FORTIFY_SOURCE=2.  This is because it thinks that
tu_stuff is 0 bytes and tu_data comes after it.

Talking to upstream gcc, they don't seem terribly inclined to fix the
2nd issue, but even if they did, we still have plenty of 4.5 and 4.6
installs that would hit problems.

So, let's re-order with a few more anonymous structs & unions so that
the fields are laid out with a zero-length array always as the last
field.  This seems to fix things with gcc-4.6, and the tftp-hpa pkg
continues to build & work.

URL: https://bugs.launchpad.net/ubuntu/+source/tftp-hpa/+bug/691345
URL: https://bugs.archlinux.org/task/28103
URL: https://bugs.gentoo.org/357083
URL: http://gcc.gnu.org/PR52944
Signed-off-by: Mike Frysinger <vapier@gentoo.org>
Diffstat (limited to 'inet')
-rw-r--r--inet/arpa/tftp.h24
1 files changed, 15 insertions, 9 deletions
diff --git a/inet/arpa/tftp.h b/inet/arpa/tftp.h
index 21b0559e54..86e0b6e814 100644
--- a/inet/arpa/tftp.h
+++ b/inet/arpa/tftp.h
@@ -49,17 +49,23 @@
 struct	tftphdr {
 	short	th_opcode;			/* packet type */
 	union {
-		unsigned short	tu_block;	/* block # */
-		short	tu_code;		/* error code */
-		char	tu_stuff[1];		/* request packet stuff */
-	} __attribute__ ((__packed__)) th_u;
-	char	th_data[1];			/* data or error string */
+		char	tu_padding[3];		/* sizeof() compat */
+		struct {
+			union {
+				unsigned short	tu_block;	/* block # */
+				short	tu_code;		/* error code */
+			} __attribute__ ((__packed__)) th_u3;
+			char tu_data[0];	/* data or error string */
+		} __attribute__ ((__packed__)) th_u2;
+		char	tu_stuff[0];		/* request packet stuff */
+	} __attribute__ ((__packed__)) th_u1;
 } __attribute__ ((__packed__));
 
-#define	th_block	th_u.tu_block
-#define	th_code		th_u.tu_code
-#define	th_stuff	th_u.tu_stuff
-#define	th_msg		th_data
+#define	th_block	th_u1.th_u2.th_u3.tu_block
+#define	th_code		th_u1.th_u2.th_u3.tu_code
+#define	th_stuff	th_u1.tu_stuff
+#define	th_data		th_u1.th_u2.tu_data
+#define	th_msg		th_u1.th_u2.tu_data
 
 /*
  * Error codes.