From 45d5900c9ee8d03554f28d698fc8533c7dcb321b Mon Sep 17 00:00:00 2001
From: Collin Funk <collin.funk1@gmail.com>
Date: Mon, 6 May 2024 17:57:11 -0700
Subject: [PATCH] ifconfig: Fix ASAN 'dynamic-stack-buffer-overflow' in
 formatting.

* ifconfig/printif.c (print_interfaceX): Allocate the argv array on
the heap as the format string is being processed. The previous
'alloca' leads to invalid writes detected by ASAN and Valgrind when
using the --format and --short options.
---
 ifconfig/printif.c | 17 ++++++++++-------
 1 file changed, 10 insertions(+), 7 deletions(-)

diff --git a/ifconfig/printif.c b/ifconfig/printif.c
index 4f2fdc1a..f68547bd 100644
--- a/ifconfig/printif.c
+++ b/ifconfig/printif.c
@@ -1125,8 +1125,7 @@ print_interfaceX (format_data_t form, int quiet)
 	  else
 	    {
 	      int argc = 0;
-	      char **argv;
-	      argv = alloca (strlen (q) / 2);
+	      char **argv = NULL;
 
 	      while (*p == '{')
 		{
@@ -1134,6 +1133,7 @@ print_interfaceX (format_data_t form, int quiet)
 		  form->format = p;
 		  print_interfaceX (form, 1);
 		  q = form->format;
+                  argv = xrealloc (argv, (argc + 1) * sizeof (char *));
 		  argv[argc] = xmalloc (q - p + 1);
 		  memcpy (argv[argc], p, q - p);
 		  argv[argc][q - p] = '\0';
@@ -1144,11 +1144,14 @@ print_interfaceX (format_data_t form, int quiet)
 		}
 
 	      format_handler (id, form, argc, argv);
-
-	      /* Clean up.  */
-	      form->format = p;
-	      while (--argc >= 0)
-		free (argv[argc]);
+              if (argv != NULL)
+                {
+                  /* Clean up.  */
+                  while (--argc >= 0)
+                    free (argv[argc]);
+                  free (argv);
+                }
+              form->format = p;
 	    }
 	}
     }
-- 
2.45.0