projects
/
project
/
mdnsd.git
/ blobdiff
commit
grep
author
committer
pickaxe
?
search:
re
summary
|
shortlog
|
log
|
commit
|
commitdiff
|
tree
raw
|
inline
| side by side
fix potential buffer overflow when txt records are forged
[project/mdnsd.git]
/
cache.c
diff --git
a/cache.c
b/cache.c
index
1cbe18f
..
cdc4a79
100644
(file)
--- a/
cache.c
+++ b/
cache.c
@@
-24,7
+24,6
@@
#include <sys/socket.h>
#include <netinet/in.h>
#include <arpa/inet.h>
#include <sys/socket.h>
#include <netinet/in.h>
#include <arpa/inet.h>
-#include <asm/byteorder.h>
#include <arpa/nameser.h>
#include <resolv.h>
#include <time.h>
#include <arpa/nameser.h>
#include <resolv.h>
#include <time.h>
@@
-127,14
+126,14
@@
cache_scan(void)
static struct cache_entry*
cache_entry(struct interface *iface, char *entry, int hlen, int ttl)
{
static struct cache_entry*
cache_entry(struct interface *iface, char *entry, int hlen, int ttl)
{
- struct cache_entry *s;
+ struct cache_entry *s
, *t
;
char *entry_buf;
char *host_buf;
char *type;
char *entry_buf;
char *host_buf;
char *type;
- s = avl_find_element(&entries, entry, s, avl);
-
if (s
)
- return s;
+ avl_for_each_element_safe(&entries, s, avl, t)
+
if (!strcmp(s->entry, entry)
)
+
return s;
s = calloc_a(sizeof(*s),
&entry_buf, strlen(entry) + 1,
s = calloc_a(sizeof(*s),
&entry_buf, strlen(entry) + 1,
@@
-168,7
+167,7
@@
cache_record_find(char *record, int type, int port, int rdlength, uint8_t *rdata
if (!l)
return NULL;
if (!l)
return NULL;
- while (l && !
avl_is_last(&records, &l->avl) && !
strcmp(l->record, record)) {
+ while (l && !strcmp(l->record, record)) {
struct cache_record *r = l;
l = avl_next_element(l, avl);
struct cache_record *r = l;
l = avl_next_element(l, avl);
@@
-226,8
+225,7
@@
cache_answer(struct interface *iface, uint8_t *base, int blen, char *name, struc
char *name_buf;
void *rdata_ptr, *txt_ptr;
int host_len = 0;
char *name_buf;
void *rdata_ptr, *txt_ptr;
int host_len = 0;
-
- static char rdata_buffer[MAX_DATA_LEN + 1];
+ static char *rdata_buffer = (char *) mdns_buf;
if (!(a->class & CLASS_IN))
return;
if (!(a->class & CLASS_IN))
return;
@@
-276,7
+274,7
@@
cache_answer(struct interface *iface, uint8_t *base, int blen, char *name, struc
uint8_t v = *p;
*p = '\0';
uint8_t v = *p;
*p = '\0';
- if (v)
+ if (v
&& p + v < &rdata_buffer[rdlength]
)
p += v + 1;
} while (*p);
break;
p += v + 1;
} while (*p);
break;
@@
-302,8
+300,8
@@
cache_answer(struct interface *iface, uint8_t *base, int blen, char *name, struc
r = cache_record_find(name, a->type, port, dlen, rdata);
if (r) {
if (!a->ttl) {
r = cache_record_find(name, a->type, port, dlen, rdata);
if (r) {
if (!a->ttl) {
- cache_record_free(r);
DBG(1, "D -> %s %s ttl:%d\n", dns_type_string(r->type), r->record, r->ttl);
DBG(1, "D -> %s %s ttl:%d\n", dns_type_string(r->type), r->record, r->ttl);
+ cache_record_free(r);
} else {
r->ttl = a->ttl;
DBG(1, "A -> %s %s ttl:%d\n", dns_type_string(r->type), r->record, r->ttl);
} else {
r->ttl = a->ttl;
DBG(1, "A -> %s %s ttl:%d\n", dns_type_string(r->type), r->record, r->ttl);
@@
-341,15
+339,12
@@
cache_answer(struct interface *iface, uint8_t *base, int blen, char *name, struc
void
cache_dump_records(struct blob_buf *buf, const char *name)
{
void
cache_dump_records(struct blob_buf *buf, const char *name)
{
- struct cache_record *r, *
q = avl_find_element(&records, name, r, avl)
;
+ struct cache_record *r, *
last, *next
;
const char *txt;
const char *txt;
- char buffer[
MAX_NAME_
LEN];
+ char buffer[
INET6_ADDRSTR
LEN];
- if (!q)
- return;
-
- do {
- r = q;
+ last = avl_last_element(&records, last, avl);
+ for (r = avl_find_element(&records, name, r, avl); r; r = next) {
switch (r->type) {
case TYPE_TXT:
if (r->txt && strlen(r->txt)) {
switch (r->type) {
case TYPE_TXT:
if (r->txt && strlen(r->txt)) {
@@
-376,6
+371,12
@@
cache_dump_records(struct blob_buf *buf, const char *name)
blobmsg_add_string(buf, "ipv6", buffer);
break;
}
blobmsg_add_string(buf, "ipv6", buffer);
break;
}
- q = avl_next_element(r, avl);
- } while (q && !strcmp(r->record, q->record));
+
+ if (r == last)
+ break;
+
+ next = avl_next_element(r, avl);
+ if (strcmp(r->record, next->record) != 0)
+ break;
+ }
}
}