Hi Jose,

On Thu, May 28, 2015 at 09:12:15PM +0000, Guzman Mosqueda, Jose R wrote:

Hi all

I'm Jose Guzman from a security team at Intel.
We're using iproute2 in a GNU-Linux project and I'm analyzing the code
to try to find possible issues/gaps/risks.
Since I'm not too familiar with the package yet I have a question about
a particular piece of code that could result in a memory corruption:

Version: 4.0.0
File: misc/ss.c
Function: static void tcp_show_info(...)
Line: ~1903
Description: There is a memory allocation for a "s.cong_alg" variable:
s.cong_alg = malloc(strlen(cong_attr + 1));
The length is calculated about next position of the starting character.
But next line there is a copy of the whole content:
strcpy(s.cong_alg, cong_attr);
I think there is a mistake and it should be something like:
s.cong_alg = malloc(strlen(cong_attr) + 1);

I think strdup can be used here.
I will send a patch.

Thank You!