From 4cece9cc7db428fa0e1af27d4dced91bf7c2cc50 Mon Sep 17 00:00:00 2001
From: =?utf8?q?Petr=20=C5=A0tetiar?= <ynezz@true.cz>
Date: Mon, 12 Oct 2020 17:40:19 +0200
Subject: [PATCH] cache: cache_record_find: fix buffer overflow
MIME-Version: 1.0
Content-Type: text/plain; charset=utf8
Content-Transfer-Encoding: 8bit

Fixes following buffer overflow:

 ERROR: AddressSanitizer: global-buffer-overflow on address 0x0000007338b8 at pc 0x0000004db339 bp 0x7ffe370e6140 sp 0x7ffe370e6138
 READ of size 8 at 0x0000007338b8 thread T0
     #0 0x4db338 in cache_record_find mdnsd/cache.c:197:17
     #1 0x4d74b4 in cache_answer mdnsd/cache.c:336:6
     #2 0x4cf04a in parse_answer mdnsd/dns.c:343:3
     #3 0x4cb272 in dns_handle_packet mdnsd/dns.c:442:7
     #4 0x4f508c in read_socket4 mdnsd/interface.c:253:3
     #5 0x7fb81dddc73d in uloop_run_events libubox/uloop.c:198:4
     #6 0x7fb81dddc73d in uloop_run_timeout libubox/uloop.c:555:3
     #7 0x4c77cd in uloop_run libubox/uloop.h:111:9
     #8 0x4c7757 in main mdnsd/main.c:99:2

 0x0000007338b8 is located 8 bytes to the right of global variable 'records' defined in 'mdnsd/cache.c:45:1' (0x733880) of size 48
 SUMMARY: AddressSanitizer: global-buffer-overflow mdnsd/cache.c:197:17 in cache_record_find

Signed-off-by: Petr Å tetiar <ynezz@true.cz>
---
 cache.c                                            |   2 +-
 .../crash-68e33cae6500804f6856f5a92dca26626ad0479c | Bin 0 -> 69 bytes
 2 files changed, 1 insertion(+), 1 deletion(-)
 create mode 100644 tests/fuzz/corpus/crash-68e33cae6500804f6856f5a92dca26626ad0479c

diff --git a/cache.c b/cache.c
index 7d2aa8f..b2e5568 100644
--- a/cache.c
+++ b/cache.c
@@ -194,7 +194,7 @@ cache_record_find(char *record, int type, int port, int rdlength, uint8_t *rdata
 	if (!l)
 		return NULL;
 
-	while (l && l->record && !strcmp(l->record, record)) {
+	while (l && !avl_is_last(&records, &l->avl) && !strcmp(l->record, record)) {
 		struct cache_record *r = l;
 
 		l = avl_next_element(l, avl);
diff --git a/tests/fuzz/corpus/crash-68e33cae6500804f6856f5a92dca26626ad0479c b/tests/fuzz/corpus/crash-68e33cae6500804f6856f5a92dca26626ad0479c
new file mode 100644
index 0000000000000000000000000000000000000000..69cd85b203101a80e6f3417ceedbbc0c2e4ff893
GIT binary patch
literal 69
ycmZo*_}jq1z_4xU{~ruY@j#|P1LHPPAV*t4RRBqt2P(`UAO-^<5uk<#e0%^rNfjgj

literal 0
HcmV?d00001

-- 
2.30.2