cache: cache_answer: fix off by one
authorPetr Štetiar <ynezz@true.cz>
Tue, 13 Oct 2020 11:56:47 +0000 (13:56 +0200)
committerPetr Štetiar <ynezz@true.cz>
Tue, 13 Oct 2020 13:27:49 +0000 (15:27 +0200)
commit59e4fc98162d253b4e5ecd110f7bc5ea3962e221
tree7939eb035425e494a179c076f35399f3eb21d427
parent4cece9cc7db428fa0e1af27d4dced91bf7c2cc50
cache: cache_answer: fix off by one

Fixes following issue found by the AFL fuzzer which was then confirmed
by the libFuzzer as well:

 ERROR: AddressSanitizer: heap-buffer-overflow on address 0x6040000072fa at pc 0x00000051f647 bp 0x7ffe95787cd0 sp 0x7ffe95787498
 READ of size 16 at 0x6040000072fa thread T0
    #0 0x51f646 in __asan_memcpy (mdnsd/build/tests/fuzz/test-fuzz+0x51f646)
    #1 0x5539d3 in memcpy /usr/include/x86_64-linux-gnu/bits/string_fortified.h:34:10
    #2 0x5539d3 in cache_answer mdnsd/cache.c:311:3
    #3 0x561c7a in parse_answer mdnsd/dns.c:345:3
    #4 0x55de9c in dns_handle_packet mdnsd/dns.c:446:7
    #5 0x55a9f4 in fuzz_dns_handle_packet mdnsd/tests/fuzz/test-fuzz.c:31:2

 0x6040000072fa is located 0 bytes to the right of 42-byte region [0x6040000072d0,0x6040000072fa)
 allocated by thread T0 here:
     #0 0x520412 in calloc (mdnsd/build/tests/fuzz/test-fuzz+0x520412)

memcpy() reads one byte past `rdata` buffer as the read starts from the
2nd byte, but the reading length wasn't adjusted to that fact.

Signed-off-by: Petr Štetiar <ynezz@true.cz>
cache.c