bughz/tinyproxy
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

transparent: fix invalid memory access

Browse Source 
getsockname() requires addrlen to be set to the size of the sockaddr struct
passed as the addr, and a check whether the returned addrlen exceeds the
initially passed size (to determine whether the address returned is truncated).

with a request like "GET /\r\n\r\n" where length is 0 this caused the code
to assume success and use the values of the uninitialized sockaddr struct.
This commit is contained in:
rofl0r 2020-03-18 12:31:13 +00:00
parent 3230ce0bc2
commit d98aabf47f
1 changed files with 2 additions and 1 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

3
src/transparent-proxy.c
View File

@ -65,10 +65,11 @@ do_transparent_proxy (struct conn_s *connptr, hashmap_t hashofheaders,
length = hashmap_entry_by_key (hashofheaders, "host", (void **) &data); length = hashmap_entry_by_key (hashofheaders, "host", (void **) &data);
if (length <= 0) { if (length <= 0) {
struct sockaddr_in dest_addr; struct sockaddr_in dest_addr;
length = sizeof(dest_addr);
if (getsockname if (getsockname
(connptr->client_fd, (struct sockaddr *) &dest_addr, (connptr->client_fd, (struct sockaddr *) &dest_addr,
&length) < 0) { &length) < 0 || length > sizeof(dest_addr)) {
log_message (LOG_ERR, log_message (LOG_ERR,
"process_request: cannot get destination IP for %d", "process_request: cannot get destination IP for %d",
connptr->client_fd); connptr->client_fd);