transparent: fix invalid memory access

getsockname() requires addrlen to be set to the size of the sockaddr struct passed as the addr, and a check whether the returned addrlen exceeds the initially passed size (to determine whether the address returned is truncated). with a request like "GET /\r\n\r\n" where length is 0 this caused the code to assume success and use the values of the uninitialized sockaddr struct.
author: rofl0r <rofl0r@users.noreply.github.com> 2020-03-18 12:31:13 +0000
committer: rofl0r <rofl0r@users.noreply.github.com> 2020-03-18 12:31:15 +0000
commit: d98aabf47f43289f9e66230b3c70a9d682c7865c (patch)
tree: 22863f00e62fcb68a27444a1d2aa796e93ec1109 /src/transparent-proxy.c
parent: 3230ce0bc2b7d5c1379c358f4e69346d6ed43429 (diff)
1 files changed, 2 insertions, 1 deletions
diff --git a/src/transparent-proxy.c b/src/transparent-proxy.c
index df5fbce..727ef3e 100644
--- a/src/transparent-proxy.c
+++ b/src/transparent-proxy.c
@@ -65,10 +65,11 @@ do_transparent_proxy (struct conn_s *connptr, hashmap_t hashofheaders,
         length = hashmap_entry_by_key (hashofheaders, "host", (void **) &data);
         if (length <= 0) {
                 struct sockaddr_in dest_addr;
+                length = sizeof(dest_addr);
 
                 if (getsockname
                     (connptr->client_fd, (struct sockaddr *) &dest_addr,
-                     &length) < 0) {
+                     &length) < 0 || length > sizeof(dest_addr)) {
                         log_message (LOG_ERR,
                                      "process_request: cannot get destination IP for %d",
                                      connptr->client_fd);
author	rofl0r <rofl0r@users.noreply.github.com>	2020-03-18 12:31:13 +0000
committer	rofl0r <rofl0r@users.noreply.github.com>	2020-03-18 12:31:15 +0000
commit	d98aabf47f43289f9e66230b3c70a9d682c7865c (patch)
tree	22863f00e62fcb68a27444a1d2aa796e93ec1109 /src/transparent-proxy.c
parent	3230ce0bc2b7d5c1379c358f4e69346d6ed43429 (diff)