We get a pointer to the end of the address string (ipaddr), but the call
snprintf and pass in tmpbuf which is a pointer to the beginning of the
address string. If someone passes in an address with a scopeid then we
end up overwriting the entire address string.
Reported-by: Björn JACKE <bj@sernet.de>
Signed-off-by: Jeff Layton <jlayton@samba.org>
if (sin6->sin6_scope_id) {
len = strnlen(tmpbuf, sizeof(tmpbuf));
ipaddr = tmpbuf + len;
- snprintf(tmpbuf, sizeof(tmpbuf) - len, "%%%u",
+ snprintf(ipaddr, sizeof(tmpbuf) - len, "%%%u",
sin6->sin6_scope_id);
}
break;