[PATCH mdnsd] cache: cache_record_find: fix buffer overflow
Petr Štetiar
ynezz at true.cz
Mon Oct 12 11:44:41 EDT 2020
Fixes following buffer overflow:
ERROR: AddressSanitizer: global-buffer-overflow on address 0x0000007338b8 at pc 0x0000004db339 bp 0x7ffe370e6140 sp 0x7ffe370e6138
READ of size 8 at 0x0000007338b8 thread T0
#0 0x4db338 in cache_record_find mdnsd/cache.c:197:17
#1 0x4d74b4 in cache_answer mdnsd/cache.c:336:6
#2 0x4cf04a in parse_answer mdnsd/dns.c:343:3
#3 0x4cb272 in dns_handle_packet mdnsd/dns.c:442:7
#4 0x4f508c in read_socket4 mdnsd/interface.c:253:3
#5 0x7fb81dddc73d in uloop_run_events libubox/uloop.c:198:4
#6 0x7fb81dddc73d in uloop_run_timeout libubox/uloop.c:555:3
#7 0x4c77cd in uloop_run libubox/uloop.h:111:9
#8 0x4c7757 in main mdnsd/main.c:99:2
0x0000007338b8 is located 8 bytes to the right of global variable 'records' defined in 'mdnsd/cache.c:45:1' (0x733880) of size 48
SUMMARY: AddressSanitizer: global-buffer-overflow mdnsd/cache.c:197:17 in cache_record_find
Signed-off-by: Petr Štetiar <ynezz at true.cz>
---
cache.c | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
diff --git a/cache.c b/cache.c
index 7d2aa8fdba2d..b2e5568f517a 100644
--- a/cache.c
+++ b/cache.c
@@ -194,7 +194,7 @@ cache_record_find(char *record, int type, int port, int rdlength, uint8_t *rdata
if (!l)
return NULL;
- while (l && l->record && !strcmp(l->record, record)) {
+ while (l && !avl_is_last(&records, &l->avl) && !strcmp(l->record, record)) {
struct cache_record *r = l;
l = avl_next_element(l, avl);
More information about the openwrt-devel
mailing list