Change Details

Portable programs that use SIOCGIFCONF (tcpdump) assume that each pseudo ifreq is of length sizeof(ifr_name) + ifr_addr.sa_len. For short sockaddrs we violated this assumption and wrote sizeof(ifr_name) + sizeof(struct sockaddr). We also failed to zero extra sa_data values (not a leak, but could contain contents of previous sockaddrs). I believe only one such sockaddr exists (struct sockaddr_sco which is 8 bytes) and it is unclear if such sockaddrs end up on interfaces in practice. If it did the result would be an 8 byte heap leak.

Portable programs that use SIOCGIFCONF (traceroute) assume that each pseudo ifreq is of length sizeof(ifr_name) + ifr_addr.sa_len. For short sockaddrs we violated this assumption and wrote sizeof(ifr_name) + sizeof(struct sockaddr). We also failed to zero extra sa_data values (not a leak, but could contain contents of previous sockaddrs). I believe only one such sockaddr exists (struct sockaddr_sco which is 8 bytes) and it is unclear if such sockaddrs end up on interfaces in practice. If it did the result would be an 8 byte heap leak.

Portable programs that use SIOCGIFCONF (tcpdumptraceroute) assume that each pseudo ifreq is of length sizeof(ifr_name) + ifr_addr.sa_len. For short sockaddrs we violated this assumption and wrote sizeof(ifr_name) + sizeof(struct sockaddr). We also failed to zero extra sa_data values (not a leak, but could contain contents of previous sockaddrs). I believe only one such sockaddr exists (struct sockaddr_sco which is 8 bytes) and it is unclear if such sockaddrs end up on interfaces in practice. If it did the result would be an 8 byte heap leak.