Fixes following issue found by the AFL fuzzer which was then confirmed
by the libFuzzer as well:
ERROR: AddressSanitizer: heap-buffer-overflow on address 0x6040000072fa at pc 0x00000051f647 bp 0x7ffe95787cd0 sp 0x7ffe95787498
READ of size 16 at 0x6040000072fa thread T0
#0 0x51f646 in __asan_memcpy (mdnsd/build/tests/fuzz/test-fuzz+0x51f646)
#1 0x5539d3 in memcpy /usr/include/x86_64-linux-gnu/bits/string_fortified.h:34:10
#2 0x5539d3 in cache_answer mdnsd/cache.c:311:3
#3 0x561c7a in parse_answer mdnsd/dns.c:345:3
#4 0x55de9c in dns_handle_packet mdnsd/dns.c:446:7
#5 0x55a9f4 in fuzz_dns_handle_packet mdnsd/tests/fuzz/test-fuzz.c:31:2
0x6040000072fa is located 0 bytes to the right of 42-byte region [0x6040000072d0,0x6040000072fa)
allocated by thread T0 here:
#0 0x520412 in calloc (mdnsd/build/tests/fuzz/test-fuzz+0x520412)
memcpy() reads one byte past `rdata` buffer as the read starts from the
2nd byte, but the reading length wasn't adjusted to that fact.
Signed-off-by: Petr Štetiar <ynezz@true.cz>
if (rdlength <= 2)
return;
- memcpy(rdata_buffer, &rdata[1], rdlength);
+ memcpy(rdata_buffer, &rdata[1], rdlength-1);
rdata_buffer[rdlength] = rdata_buffer[rdlength + 1] = '\0';
tlen = rdlength + 1;
p = &rdata_buffer[*rdata];