cache: cache_record_find: fix buffer overflow
authorPetr Štetiar <ynezz@true.cz>
Mon, 12 Oct 2020 15:40:19 +0000 (17:40 +0200)
committerPetr Štetiar <ynezz@true.cz>
Tue, 13 Oct 2020 13:27:49 +0000 (15:27 +0200)
Fixes following buffer overflow:

 ERROR: AddressSanitizer: global-buffer-overflow on address 0x0000007338b8 at pc 0x0000004db339 bp 0x7ffe370e6140 sp 0x7ffe370e6138
 READ of size 8 at 0x0000007338b8 thread T0
     #0 0x4db338 in cache_record_find mdnsd/cache.c:197:17
     #1 0x4d74b4 in cache_answer mdnsd/cache.c:336:6
     #2 0x4cf04a in parse_answer mdnsd/dns.c:343:3
     #3 0x4cb272 in dns_handle_packet mdnsd/dns.c:442:7
     #4 0x4f508c in read_socket4 mdnsd/interface.c:253:3
     #5 0x7fb81dddc73d in uloop_run_events libubox/uloop.c:198:4
     #6 0x7fb81dddc73d in uloop_run_timeout libubox/uloop.c:555:3
     #7 0x4c77cd in uloop_run libubox/uloop.h:111:9
     #8 0x4c7757 in main mdnsd/main.c:99:2

 0x0000007338b8 is located 8 bytes to the right of global variable 'records' defined in 'mdnsd/cache.c:45:1' (0x733880) of size 48
 SUMMARY: AddressSanitizer: global-buffer-overflow mdnsd/cache.c:197:17 in cache_record_find

Signed-off-by: Petr Štetiar <ynezz@true.cz>
cache.c
tests/fuzz/corpus/crash-68e33cae6500804f6856f5a92dca26626ad0479c [new file with mode: 0644]

diff --git a/cache.c b/cache.c
index 7d2aa8fdba2d467320c74cc4db53990dfc9db01c..b2e5568f517a36d8a1dce668882f0c00d17e7f02 100644 (file)
--- a/cache.c
+++ b/cache.c
@@ -194,7 +194,7 @@ cache_record_find(char *record, int type, int port, int rdlength, uint8_t *rdata
        if (!l)
                return NULL;
 
-       while (l && l->record && !strcmp(l->record, record)) {
+       while (l && !avl_is_last(&records, &l->avl) && !strcmp(l->record, record)) {
                struct cache_record *r = l;
 
                l = avl_next_element(l, avl);
diff --git a/tests/fuzz/corpus/crash-68e33cae6500804f6856f5a92dca26626ad0479c b/tests/fuzz/corpus/crash-68e33cae6500804f6856f5a92dca26626ad0479c
new file mode 100644 (file)
index 0000000..69cd85b
Binary files /dev/null and b/tests/fuzz/corpus/crash-68e33cae6500804f6856f5a92dca26626ad0479c differ