summaryrefslogtreecommitdiffhomepage
path: root/src
diff options
context:
space:
mode:
authorrofl0r <rofl0r@users.noreply.github.com>2020-03-18 12:31:13 +0000
committerrofl0r <rofl0r@users.noreply.github.com>2020-03-18 12:31:15 +0000
commitd98aabf47f43289f9e66230b3c70a9d682c7865c (patch)
tree22863f00e62fcb68a27444a1d2aa796e93ec1109 /src
parent3230ce0bc2b7d5c1379c358f4e69346d6ed43429 (diff)
transparent: fix invalid memory access
getsockname() requires addrlen to be set to the size of the sockaddr struct passed as the addr, and a check whether the returned addrlen exceeds the initially passed size (to determine whether the address returned is truncated). with a request like "GET /\r\n\r\n" where length is 0 this caused the code to assume success and use the values of the uninitialized sockaddr struct.
Diffstat (limited to 'src')
-rw-r--r--src/transparent-proxy.c3
1 files changed, 2 insertions, 1 deletions
diff --git a/src/transparent-proxy.c b/src/transparent-proxy.c
index df5fbce..727ef3e 100644
--- a/src/transparent-proxy.c
+++ b/src/transparent-proxy.c
@@ -65,10 +65,11 @@ do_transparent_proxy (struct conn_s *connptr, hashmap_t hashofheaders,
length = hashmap_entry_by_key (hashofheaders, "host", (void **) &data);
if (length <= 0) {
struct sockaddr_in dest_addr;
+ length = sizeof(dest_addr);
if (getsockname
(connptr->client_fd, (struct sockaddr *) &dest_addr,
- &length) < 0) {
+ &length) < 0 || length > sizeof(dest_addr)) {
log_message (LOG_ERR,
"process_request: cannot get destination IP for %d",
connptr->client_fd);