[PATCH mdnsd 10/10] cache: cache_answer: fix off by one

Petr Štetiar ynezz at true.cz
Tue Oct 13 09:36:21 EDT 2020


Fixes following issue found by the AFL fuzzer which was then confirmed
by the libFuzzer as well:

 ERROR: AddressSanitizer: heap-buffer-overflow on address 0x6040000072fa at pc 0x00000051f647 bp 0x7ffe95787cd0 sp 0x7ffe95787498
 READ of size 16 at 0x6040000072fa thread T0
    #0 0x51f646 in __asan_memcpy (mdnsd/build/tests/fuzz/test-fuzz+0x51f646)
    #1 0x5539d3 in memcpy /usr/include/x86_64-linux-gnu/bits/string_fortified.h:34:10
    #2 0x5539d3 in cache_answer mdnsd/cache.c:311:3
    #3 0x561c7a in parse_answer mdnsd/dns.c:345:3
    #4 0x55de9c in dns_handle_packet mdnsd/dns.c:446:7
    #5 0x55a9f4 in fuzz_dns_handle_packet mdnsd/tests/fuzz/test-fuzz.c:31:2

 0x6040000072fa is located 0 bytes to the right of 42-byte region [0x6040000072d0,0x6040000072fa)
 allocated by thread T0 here:
     #0 0x520412 in calloc (mdnsd/build/tests/fuzz/test-fuzz+0x520412)

memcpy() reads one byte past `rdata` buffer as the read starts from the
2nd byte, but the reading length wasn't adjusted to that fact.

Signed-off-by: Petr Štetiar <ynezz at true.cz>
---
 cache.c | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/cache.c b/cache.c
index b2e5568f517a..ea6a4c8ab656 100644
--- a/cache.c
+++ b/cache.c
@@ -303,7 +303,7 @@ void cache_answer(struct interface *iface, struct sockaddr *from, uint8_t *base,
 		if (rdlength <= 2)
 			return;
 
-		memcpy(rdata_buffer, &rdata[1], rdlength);
+		memcpy(rdata_buffer, &rdata[1], rdlength-1);
 		rdata_buffer[rdlength] = rdata_buffer[rdlength + 1] = '\0';
 		tlen = rdlength + 1;
 		p = &rdata_buffer[*rdata];



More information about the openwrt-devel mailing list