You can not select more than 25 topics Topics must start with a letter or number, can include dashes ('-') and can be up to 35 characters long.
kamailio/debian/patches/upstream/0006-core-avoid-overrun-buf...

47 lines
1.4 KiB

From 42f5515df93a182fd33a6c48f1a9dd1850e91965 Mon Sep 17 00:00:00 2001
From: Victor Seva <linuxmaniac@torreviejawireless.org>
Date: Wed, 1 Feb 2017 12:53:28 +0100
Subject: [PATCH] core: avoid overrun-buffer-arg
> Overrunning array ((struct a_rdata *)rr->rdata)->ip of 4 bytes
> by passing it to a function which accesses it at byte offset 15
> using argument len (which evaluates to 16)
(cherry picked from commit 5640f696f5364bb88732807f5f87b4afb7a97ba6)
---
dns_cache.c | 11 ++++++++++-
1 file changed, 10 insertions(+), 1 deletion(-)
diff --git a/dns_cache.c b/dns_cache.c
index 21b780ee0..c4b910d26 100644
--- a/dns_cache.c
+++ b/dns_cache.c
@@ -2362,6 +2362,7 @@ inline static struct hostent* dns_entry2he(struct dns_hash_entry* e)
int af, len;
struct dns_rr* rr;
unsigned char rr_no;
+ unsigned char *ip;
ticks_t now;
int i;
@@ -2389,7 +2390,15 @@ inline static struct hostent* dns_entry2he(struct dns_hash_entry* e)
for(i=0; rr && (i<DNS_HE_MAX_ADDR); i++,
rr=dns_entry_get_rr(e, &rr_no, now)){
p_addr[i]=&address[i*len];
- memcpy(p_addr[i], ((struct a_rdata*)rr->rdata)->ip, len);
+ switch(e->type){
+ case T_A:
+ ip = ((struct a_rdata*)rr->rdata)->ip;
+ break;
+ case T_AAAA:
+ ip = ((struct aaaa_rdata*)rr->rdata)->ip6;
+ break;
+ }
+ memcpy(p_addr[i], ip, len);
}
if (i==0){
LM_DBG("no good records found (%d) for %.*s (%d)\n",
--
2.11.0