projects / tinc / commit
? search:
summary | shortlog | log | commit | commitdiff | tree
(parent: 8145a33) | patch
Fix a use-after-free bug in get_recent_address() and two related issues.
authorTodd C. Miller <Todd.Miller@sudo.ws>
Fri, 16 Feb 2018 21:17:39 +0000 (14:17 -0700)
committerTodd C. Miller <Todd.Miller@sudo.ws>
Fri, 16 Feb 2018 21:17:39 +0000 (14:17 -0700)
commit536fe3ffcdc4c894ed986dfb5fdc0d6f78d6fe25
treeb4228a438314705d0f0dc329b5aabf5f07ec58d0tree | snapshot
parent8145a3392bdcff4d7856ba72e66a90d73d887c00commit | diff
Fix a use-after-free bug in get_recent_address() and two related issues.
1) The sockaddr_t * returned may be part of memory freed by the call to
   freeaddrinfo().
2) The sockaddr_t * returned from a recently seen address not in the
   cache was cast from struct addrinfo *ai, not the struct sockaddr *
   inside of it.
3) In do_outgoing_connection(), when filling in the address in the
   connection_t, there is a buffer overflow (read, not write) if
   the sa returned by get_recent_address() didn't come from the
   cache of recently seen addresses.  That is, it was really a
   struct sockaddr * and not a sockaddr_t *.  This last was
   found by building tinc with address sanitizer.
src/address_cache.c diff | blob | history
src/net.h diff | blob | history
src/net_socket.c diff | blob | history
tinc, the VPN daemon