From patchwork Tue Oct 13 13:36:21 2020 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 8bit X-Patchwork-Submitter: =?utf-8?q?Petr_=C5=A0tetiar?= X-Patchwork-Id: 1381594 X-Patchwork-Delegate: ynezz@true.cz Return-Path: X-Original-To: incoming@patchwork.ozlabs.org Delivered-To: patchwork-incoming@bilbo.ozlabs.org Authentication-Results: ozlabs.org; spf=pass (sender SPF authorized) smtp.mailfrom=lists.openwrt.org (client-ip=2001:8b0:10b:1231::1; helo=merlin.infradead.org; envelope-from=openwrt-devel-bounces+incoming=patchwork.ozlabs.org@lists.openwrt.org; receiver=) Authentication-Results: ozlabs.org; dmarc=none (p=none dis=none) header.from=true.cz Authentication-Results: ozlabs.org; dkim=pass (2048-bit key; secure) header.d=lists.infradead.org header.i=@lists.infradead.org header.a=rsa-sha256 header.s=merlin.20170209 header.b=tJAeIoU1; dkim-atps=neutral Received: from merlin.infradead.org (merlin.infradead.org [IPv6:2001:8b0:10b:1231::1]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature RSA-PSS (4096 bits) server-digest SHA256) (No client certificate requested) by ozlabs.org (Postfix) with ESMTPS id 4C9c7n0QVRz9sVH for ; Wed, 14 Oct 2020 00:38:28 +1100 (AEDT) DKIM-Signature: v=1; a=rsa-sha256; q=dns/txt; c=relaxed/relaxed; d=lists.infradead.org; s=merlin.20170209; h=Sender:Content-Transfer-Encoding: Content-Type:Cc:List-Subscribe:List-Help:List-Post:List-Archive: List-Unsubscribe:List-Id:MIME-Version:References:In-Reply-To:Message-Id:Date: Subject:To:From:Reply-To:Content-ID:Content-Description:Resent-Date: Resent-From:Resent-Sender:Resent-To:Resent-Cc:Resent-Message-ID:List-Owner; bh=6859fypbIMbEfAbPFCrPeCvWxNAdB4jFDQPzjTLlolQ=; b=tJAeIoU1f6oAxZVJr8z8vVYeU 0J8nMVpDP8Uximdi8ir0swRiVqqFzUwqkQuq74FwJW/8k+FEWjQ3Yk5bapCmq8UQXdsNI12+60KUS Pe7LTZtgAhvpN8Dfl1TPozkyczjhqKRysV5KnJRSt+5XxisfRQpzGpdbwr4ZtLyhebn/KqRYsgEyB CWcm1fd7TU5c9e2ikX26JXGSgUDdtFaOxA/uk1C58ur0tHABfKmjtUVU2JpE1fOtv/i8T0jYnDU6V KS17Am0wvmnNmJmK5ogPH7tvJrjJNiSFgyMr17xengVgBaxeo6SysN9OvhX1NxMO0zVxUOFte8hS9 2j6hFp79Q==; Received: from localhost ([::1] helo=merlin.infradead.org) by merlin.infradead.org with esmtp (Exim 4.92.3 #3 (Red Hat Linux)) id 1kSKUJ-0006MH-1C; Tue, 13 Oct 2020 13:37:11 +0000 Received: from smtp-out.xnet.cz ([178.217.244.18]) by merlin.infradead.org with esmtps (Exim 4.92.3 #3 (Red Hat Linux)) id 1kSKTk-0006Aw-4q for openwrt-devel@lists.openwrt.org; Tue, 13 Oct 2020 13:36:39 +0000 Received: from meh.true.cz (meh.true.cz [108.61.167.218]) (Authenticated sender: petr@true.cz) by smtp-out.xnet.cz (Postfix) with ESMTPSA id 4F60D18710; Tue, 13 Oct 2020 15:36:28 +0200 (CEST) Received: by meh.true.cz (OpenSMTPD) with ESMTP id cf7b789b; Tue, 13 Oct 2020 15:36:11 +0200 (CEST) From: =?utf-8?q?Petr_=C5=A0tetiar?= To: openwrt-devel@lists.openwrt.org Subject: [PATCH mdnsd 10/10] cache: cache_answer: fix off by one Date: Tue, 13 Oct 2020 15:36:21 +0200 Message-Id: <20201013133621.27088-11-ynezz@true.cz> In-Reply-To: <20201013133621.27088-1-ynezz@true.cz> References: <20201013133621.27088-1-ynezz@true.cz> MIME-Version: 1.0 X-CRM114-Version: 20100106-BlameMichelson ( TRE 0.8.0 (BSD) ) MR-646709E3 X-CRM114-CacheID: sfid-20201013_093636_398152_124EEC62 X-CRM114-Status: GOOD ( 18.53 ) X-Spam-Score: 0.0 (/) X-Spam-Report: SpamAssassin version 3.4.4 on merlin.infradead.org summary: Content analysis details: (0.0 points) pts rule name description ---- ---------------------- -------------------------------------------------- 0.0 SPF_HELO_NONE SPF: HELO does not publish an SPF Record 0.0 SPF_NONE SPF: sender does not publish an SPF Record X-BeenThere: openwrt-devel@lists.openwrt.org X-Mailman-Version: 2.1.29 Precedence: list List-Id: OpenWrt Development List List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Cc: =?utf-8?q?Petr_=C5=A0tetiar?= Sender: "openwrt-devel" Errors-To: openwrt-devel-bounces+incoming=patchwork.ozlabs.org@lists.openwrt.org Fixes following issue found by the AFL fuzzer which was then confirmed by the libFuzzer as well: ERROR: AddressSanitizer: heap-buffer-overflow on address 0x6040000072fa at pc 0x00000051f647 bp 0x7ffe95787cd0 sp 0x7ffe95787498 READ of size 16 at 0x6040000072fa thread T0 #0 0x51f646 in __asan_memcpy (mdnsd/build/tests/fuzz/test-fuzz+0x51f646) #1 0x5539d3 in memcpy /usr/include/x86_64-linux-gnu/bits/string_fortified.h:34:10 #2 0x5539d3 in cache_answer mdnsd/cache.c:311:3 #3 0x561c7a in parse_answer mdnsd/dns.c:345:3 #4 0x55de9c in dns_handle_packet mdnsd/dns.c:446:7 #5 0x55a9f4 in fuzz_dns_handle_packet mdnsd/tests/fuzz/test-fuzz.c:31:2 0x6040000072fa is located 0 bytes to the right of 42-byte region [0x6040000072d0,0x6040000072fa) allocated by thread T0 here: #0 0x520412 in calloc (mdnsd/build/tests/fuzz/test-fuzz+0x520412) memcpy() reads one byte past `rdata` buffer as the read starts from the 2nd byte, but the reading length wasn't adjusted to that fact. Signed-off-by: Petr Štetiar --- cache.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/cache.c b/cache.c index b2e5568f517a..ea6a4c8ab656 100644 --- a/cache.c +++ b/cache.c @@ -303,7 +303,7 @@ void cache_answer(struct interface *iface, struct sockaddr *from, uint8_t *base, if (rdlength <= 2) return; - memcpy(rdata_buffer, &rdata[1], rdlength); + memcpy(rdata_buffer, &rdata[1], rdlength-1); rdata_buffer[rdlength] = rdata_buffer[rdlength + 1] = '\0'; tlen = rdlength + 1; p = &rdata_buffer[*rdata];