From d98aabf47f43289f9e66230b3c70a9d682c7865c Mon Sep 17 00:00:00 2001
From: rofl0r <rofl0r@users.noreply.github.com>
Date: Wed, 18 Mar 2020 12:31:13 +0000
Subject: [PATCH] transparent: fix invalid memory access

getsockname() requires addrlen to be set to the size of the sockaddr struct
passed as the addr, and a check whether the returned addrlen exceeds the
initially passed size (to determine whether the address returned is truncated).

with a request like "GET /\r\n\r\n" where length is 0 this caused the code
to assume success and use the values of the uninitialized sockaddr struct.
---
 src/transparent-proxy.c | 3 ++-
 1 file changed, 2 insertions(+), 1 deletion(-)

diff --git a/src/transparent-proxy.c b/src/transparent-proxy.c
index df5fbce..727ef3e 100644
--- a/src/transparent-proxy.c
+++ b/src/transparent-proxy.c
@@ -65,10 +65,11 @@ do_transparent_proxy (struct conn_s *connptr, hashmap_t hashofheaders,
         length = hashmap_entry_by_key (hashofheaders, "host", (void **) &data);
         if (length <= 0) {
                 struct sockaddr_in dest_addr;
+                length = sizeof(dest_addr);
 
                 if (getsockname
                     (connptr->client_fd, (struct sockaddr *) &dest_addr,
-                     &length) < 0) {
+                     &length) < 0 || length > sizeof(dest_addr)) {
                         log_message (LOG_ERR,
                                      "process_request: cannot get destination IP for %d",
                                      connptr->client_fd);