diff options
| author | Petr Štetiar | 2020-10-13 11:56:47 +0000 |
|---|---|---|
| committer | Petr Štetiar | 2020-10-13 13:27:49 +0000 |
| commit | 59e4fc98162d253b4e5ecd110f7bc5ea3962e221 (patch) | |
| tree | 7939eb035425e494a179c076f35399f3eb21d427 | |
| parent | 4cece9cc7db428fa0e1af27d4dced91bf7c2cc50 (diff) | |
| download | mdnsd-59e4fc98162d253b4e5ecd110f7bc5ea3962e221.tar.gz | |
cache: cache_answer: fix off by one
Fixes following issue found by the AFL fuzzer which was then confirmed
by the libFuzzer as well:
ERROR: AddressSanitizer: heap-buffer-overflow on address 0x6040000072fa at pc 0x00000051f647 bp 0x7ffe95787cd0 sp 0x7ffe95787498
READ of size 16 at 0x6040000072fa thread T0
#0 0x51f646 in __asan_memcpy (mdnsd/build/tests/fuzz/test-fuzz+0x51f646)
#1 0x5539d3 in memcpy /usr/include/x86_64-linux-gnu/bits/string_fortified.h:34:10
#2 0x5539d3 in cache_answer mdnsd/cache.c:311:3
#3 0x561c7a in parse_answer mdnsd/dns.c:345:3
#4 0x55de9c in dns_handle_packet mdnsd/dns.c:446:7
#5 0x55a9f4 in fuzz_dns_handle_packet mdnsd/tests/fuzz/test-fuzz.c:31:2
0x6040000072fa is located 0 bytes to the right of 42-byte region [0x6040000072d0,0x6040000072fa)
allocated by thread T0 here:
#0 0x520412 in calloc (mdnsd/build/tests/fuzz/test-fuzz+0x520412)
memcpy() reads one byte past `rdata` buffer as the read starts from the
2nd byte, but the reading length wasn't adjusted to that fact.
Signed-off-by: Petr Štetiar <ynezz@true.cz>
| -rw-r--r-- | cache.c | 2 |
1 files changed, 1 insertions, 1 deletions
@@ -303,7 +303,7 @@ void cache_answer(struct interface *iface, struct sockaddr *from, uint8_t *base, if (rdlength <= 2) return; - memcpy(rdata_buffer, &rdata[1], rdlength); + memcpy(rdata_buffer, &rdata[1], rdlength-1); rdata_buffer[rdlength] = rdata_buffer[rdlength + 1] = '\0'; tlen = rdlength + 1; p = &rdata_buffer[*rdata]; |