Skip to content

SOCK: Fix buffer overreach when simplifying IPv4-mapped IPv6 addresses#521

Merged
pkoning2 merged 1 commit intoopen-simh:masterfrom
markpizz:sim_sock-cleanup
May 2, 2026
Merged

SOCK: Fix buffer overreach when simplifying IPv4-mapped IPv6 addresses#521
pkoning2 merged 1 commit intoopen-simh:masterfrom
markpizz:sim_sock-cleanup

Conversation

@markpizz
Copy link
Copy Markdown
Contributor

@markpizz markpizz commented Dec 24, 2025 

 There appears to be a bug in the "_sim_getaddrname" routine

within "sim_sock.c". This code appears:

if (0 == memcmp("::ffff:", hostnamebuf, 7))
memmove(hostnamebuf, 7+hostnamebuf,
strlen(hostnamebuf) + 7 - 1);

The intent is to slide the "hostnamebuf" string seven bytes to the
left to eliminate the "::ffff:" prefix. But it appears to move bytes
from beyond the end of "hostnamebuf".

I believe the last parameter should read "- 7 + 1" instead, as it does
in the earlier "memmove" call within "sim_accept_conn_ex".

Indeed this is a bug.

The negative consequence is very low since it merely picks up some
7 bytes of data past the end of the NUL byte in the existing string which
is likely still within the calling routine's hostnamebuf buffer.

In any case, a slightly clearer fix would be

           strlen(7+hostnamebuf) + 1);

A similar IPv4-mapped to IPb6 address fixup also existed in sim_accept_conn_ex
with the correct length argument has been modified in the same way.

pmetzger added a commit to pmetzger/zimh that referenced this pull request Apr 28, 2026
@pmetzger
Import open-simh PR 521 socket overread fix
0a57aee 
This is a local implementation of the fix described by open-simh/simh
PR 521, not a direct import of the upstream patch.

Factor IPv4-mapped IPv6 address normalization into
sim_sock_convert_ipv4_mapped_ipv6 and use the length of the source
string after the skipped prefix. This prevents copying bytes after the
terminating NUL when converting strings such as ::ffff:198.51.100.42 to
bare IPv4 form.

Add a unit test that places sentinel data after the original NUL and
checks that conversion copies only through the terminator.

Upstream-PR: open-simh/simh#521
@pmetzger
Copy link
Copy Markdown

pmetzger commented Apr 28, 2026

Fixed in zimh in pmetzger/zimh@0a57aee ; SIMH might want to adopt the same fix as it is a little cleaner.

@pkoning2 pkoning2 merged commit 4747b27 into open-simh:master May 2, 2026
16 of 19 checks passed
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

No reviews

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

3 participants

@markpizz @pmetzger @pkoning2