[PATCH mdnsd 10/10] cache: cache_answer: fix off by one
Petr Štetiar
ynezz at true.cz
Tue Oct 13 09:36:21 EDT 2020
Fixes following issue found by the AFL fuzzer which was then confirmed
by the libFuzzer as well:
ERROR: AddressSanitizer: heap-buffer-overflow on address 0x6040000072fa at pc 0x00000051f647 bp 0x7ffe95787cd0 sp 0x7ffe95787498
READ of size 16 at 0x6040000072fa thread T0
#0 0x51f646 in __asan_memcpy (mdnsd/build/tests/fuzz/test-fuzz+0x51f646)
#1 0x5539d3 in memcpy /usr/include/x86_64-linux-gnu/bits/string_fortified.h:34:10
#2 0x5539d3 in cache_answer mdnsd/cache.c:311:3
#3 0x561c7a in parse_answer mdnsd/dns.c:345:3
#4 0x55de9c in dns_handle_packet mdnsd/dns.c:446:7
#5 0x55a9f4 in fuzz_dns_handle_packet mdnsd/tests/fuzz/test-fuzz.c:31:2
0x6040000072fa is located 0 bytes to the right of 42-byte region [0x6040000072d0,0x6040000072fa)
allocated by thread T0 here:
#0 0x520412 in calloc (mdnsd/build/tests/fuzz/test-fuzz+0x520412)
memcpy() reads one byte past `rdata` buffer as the read starts from the
2nd byte, but the reading length wasn't adjusted to that fact.
Signed-off-by: Petr Štetiar <ynezz at true.cz>
---
cache.c | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
diff --git a/cache.c b/cache.c
index b2e5568f517a..ea6a4c8ab656 100644
--- a/cache.c
+++ b/cache.c
@@ -303,7 +303,7 @@ void cache_answer(struct interface *iface, struct sockaddr *from, uint8_t *base,
if (rdlength <= 2)
return;
- memcpy(rdata_buffer, &rdata[1], rdlength);
+ memcpy(rdata_buffer, &rdata[1], rdlength-1);
rdata_buffer[rdlength] = rdata_buffer[rdlength + 1] = '\0';
tlen = rdlength + 1;
p = &rdata_buffer[*rdata];
More information about the openwrt-devel
mailing list