fix: stack buffer overflow in IPv6 address parsing#2250
Open
EylonKrause wants to merge 1 commit into
Open
Conversation
ncclSocketGetAddrFromString copied operator-controlled [IPv6]:port fields into fixed-size stack buffers (port_str[32], if_name[16]) using strncpy lengths taken directly from the input. A long port or interface field (e.g. NCCL_COMM_ID set to [::1]: followed by 40+ digits) overflowed the stack buffer (CWE-121). Clamp each copy length to its destination buffer size; valid addresses are unaffected. Signed-off-by: EylonKrause <eylon1909@gmail.com>
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
1 participant
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Description
ncclSocketGetAddrFromStringparses an[IPv6]:port(optionally[IPv6%iface]:port) string into fixed-size stack buffers, but thestrncpylengths come straight from the input with no bound (src/misc/socket.cc):port_strisNI_MAXSERV(32) bytes, yetstrncpy(port_str, ip_port_pair + i + 2, len - i - 1)copies the entire tail after]:— a port field longer than 31 chars overflows the stack buffer.if_nameis 16 bytes, copiedi - j - 1(the%ifaceportion) with no bound.ip_strisNI_MAXHOST(1025) and is likewise unbounded for a pathologically long address.These lengths derive from operator-controlled configuration (
NCCL_COMM_ID, and the RAS address path), so a malformed value such asNCCL_COMM_ID=[::1]:followed by 40+ digits triggers a stack out-of-bounds write (CWE-121). The IPv4/getaddrinfobranch is unaffected.Related Issues
None.
Changes & Impact
src/misc/socket.cc: clamp eachstrncpylength to its destination buffer size (minus one for the NUL already written by the precedingmemset). The(size_t)cast plus the clamp also makes any unexpected negative length safe (it becomes large, then clamps down). Valid addresses — well under the buffer sizes — are unaffected; only malformed/over-long input is now truncated instead of overflowing. Non-breaking.Performance Impact
None — a few comparisons on the (rare) address-parse path.
Testing
make src.build(no new warnings).NCCL_COMM_ID-style input[::1]:+ 40 digits:AddressSanitizer: stack-buffer-overflow ... WRITE of size 41 ... in strncpy(41 bytes written into the 32-byteport_str).