diff options
author | rofl0r <rofl0r@users.noreply.github.com> | 2020-03-18 12:31:13 +0000 |
---|---|---|
committer | rofl0r <rofl0r@users.noreply.github.com> | 2020-03-18 12:31:15 +0000 |
commit | d98aabf47f43289f9e66230b3c70a9d682c7865c (patch) | |
tree | 22863f00e62fcb68a27444a1d2aa796e93ec1109 /src | |
parent | 3230ce0bc2b7d5c1379c358f4e69346d6ed43429 (diff) |
transparent: fix invalid memory access
getsockname() requires addrlen to be set to the size of the sockaddr struct
passed as the addr, and a check whether the returned addrlen exceeds the
initially passed size (to determine whether the address returned is truncated).
with a request like "GET /\r\n\r\n" where length is 0 this caused the code
to assume success and use the values of the uninitialized sockaddr struct.
Diffstat (limited to 'src')
-rw-r--r-- | src/transparent-proxy.c | 3 |
1 files changed, 2 insertions, 1 deletions
diff --git a/src/transparent-proxy.c b/src/transparent-proxy.c index df5fbce..727ef3e 100644 --- a/src/transparent-proxy.c +++ b/src/transparent-proxy.c @@ -65,10 +65,11 @@ do_transparent_proxy (struct conn_s *connptr, hashmap_t hashofheaders, length = hashmap_entry_by_key (hashofheaders, "host", (void **) &data); if (length <= 0) { struct sockaddr_in dest_addr; + length = sizeof(dest_addr); if (getsockname (connptr->client_fd, (struct sockaddr *) &dest_addr, - &length) < 0) { + &length) < 0 || length > sizeof(dest_addr)) { log_message (LOG_ERR, "process_request: cannot get destination IP for %d", connptr->client_fd); |