| Message ID | 20201012154441.6106-1-ynezz@true.cz |
|---|---|
| State | Superseded |
| Delegated to: | Petr Štetiar |
| Headers | show |
| Series | [mdnsd] cache: cache_record_find: fix buffer overflow | expand |
diff --git a/cache.c b/cache.c index 7d2aa8fdba2d..b2e5568f517a 100644 --- a/cache.c +++ b/cache.c @@ -194,7 +194,7 @@ cache_record_find(char *record, int type, int port, int rdlength, uint8_t *rdata if (!l) return NULL; - while (l && l->record && !strcmp(l->record, record)) { + while (l && !avl_is_last(&records, &l->avl) && !strcmp(l->record, record)) { struct cache_record *r = l; l = avl_next_element(l, avl);
Fixes following buffer overflow: ERROR: AddressSanitizer: global-buffer-overflow on address 0x0000007338b8 at pc 0x0000004db339 bp 0x7ffe370e6140 sp 0x7ffe370e6138 READ of size 8 at 0x0000007338b8 thread T0 #0 0x4db338 in cache_record_find mdnsd/cache.c:197:17 #1 0x4d74b4 in cache_answer mdnsd/cache.c:336:6 #2 0x4cf04a in parse_answer mdnsd/dns.c:343:3 #3 0x4cb272 in dns_handle_packet mdnsd/dns.c:442:7 #4 0x4f508c in read_socket4 mdnsd/interface.c:253:3 #5 0x7fb81dddc73d in uloop_run_events libubox/uloop.c:198:4 #6 0x7fb81dddc73d in uloop_run_timeout libubox/uloop.c:555:3 #7 0x4c77cd in uloop_run libubox/uloop.h:111:9 #8 0x4c7757 in main mdnsd/main.c:99:2 0x0000007338b8 is located 8 bytes to the right of global variable 'records' defined in 'mdnsd/cache.c:45:1' (0x733880) of size 48 SUMMARY: AddressSanitizer: global-buffer-overflow mdnsd/cache.c:197:17 in cache_record_find Signed-off-by: Petr Štetiar <ynezz@true.cz> --- cache.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-)