flak rss random

who even calls link_ntoa?

So there’s a buffer overflow in link_ntoa. What does this mean? CERT says an attacker may be able to execute arbitrary code, but who can be an attacker? Where is link_ntoa used?

What does link_ntoa even do? I’ve never heard of this function before.

     The link_ntoa() function takes a link-level address and returns an ASCII
     string representing some of the information present, including the link
     level address itself, and the interface name or number, if present.  This
     facility is experimental and is still subject to change.

Networking something or other I guess.

First place to look is in libc itself, where the function lives. The implementation lives in net/linkaddr.c but it’s the declaration that’s of particular interest.


The PROTO_DEPRECATED macro marks a function as exported from the library, but not for use internally. We can also verify with grep that nothing in libc calls link_ntoa, but with the symbol marking we can be confident we haven’t missed any thing.

Moving on to base, we find a few occurrences.

sbin/route/route.c:             printf("%s: link %s; ", which, link_ntoa(&su->sdl));
sbin/route/show.c:              return (link_ntoa(sdl));
usr.bin/netstat/show.c:         return (link_ntoa(sdl));

This is used to print route information obtained from the kernel. So if you haven’t patched yet, before you run route show again, make sure you trust the kernel.

Posted 07 Dec 2016 03:00 by tedu Updated: 07 Dec 2016 03:00
Tagged: openbsd software