From 9bea045e60fa612336ae6a78267284bcec2e9e25 Mon Sep 17 00:00:00 2001
From: Marius Tomaschewski <mt@suse.de>
Date: Tue, 9 Aug 2011 12:25:46 +0200
Subject: bugfix: memcpy overflow can occur in allowed sender checking
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit

...if a host name is resolved to IPv4-mapped-on-IPv6 address.
Found by Ismail Dönmez at suse.

Signed-off-by: Rainer Gerhards <rgerhards@adiscon.com>
---
 ChangeLog     | 3 +++
 runtime/net.c | 2 +-
 2 files changed, 4 insertions(+), 1 deletion(-)

diff --git a/ChangeLog b/ChangeLog
index 43c266ae..785a60eb 100644
--- a/ChangeLog
+++ b/ChangeLog
@@ -1,6 +1,9 @@
 ---------------------------------------------------------------------------
 Version 4.6.8  [v4-stable] (rgerhards), 2011-??-??
 - bugfix: potential misadressing in property replacer
+- bugfix: memcpy overflow can occur in allowed sender checkig
+  if a name is resolved to IPv4-mapped-on-IPv6 address
+  Found by Ismail Dönmez at suse
 ---------------------------------------------------------------------------
 Version 4.6.7  [v4-stable] (rgerhards), 2011-07-11
 - added support for the ":omusrmsg:" syntax in configuring user messages
diff --git a/runtime/net.c b/runtime/net.c
index fe6eef5b..0866efd7 100644
--- a/runtime/net.c
+++ b/runtime/net.c
@@ -721,7 +721,7 @@ static rsRetVal AddAllowedSender(struct AllowedSenders **ppRoot, struct AllowedS
 						SIN(allowIP.addr.NetAddr)->sin_port   = 0;
 						memcpy(&(SIN(allowIP.addr.NetAddr)->sin_addr.s_addr),
 							&(SIN6(res->ai_addr)->sin6_addr.s6_addr32[3]),
-							sizeof (struct sockaddr_in));
+							sizeof (in_addr_t));
 
 						if((iRet = AddAllowedSenderEntry(ppRoot, ppLast, &allowIP,
 								iSignificantBits))
-- 
cgit