From: Kirill Isakov <bootctl@gmail.com>
Date: Mon, 30 May 2022 17:06:39 +0000 (+0600)
Subject: Fix listen_sockets overflow in close_network_connections()
X-Git-Url: https://tinc-vpn.org/git/browse?p=tinc;a=commitdiff_plain;h=5d68458beed944d29d6da1bf82b311a5f3599119

Fix listen_sockets overflow in close_network_connections()

==32610==ERROR: AddressSanitizer: global-buffer-overflow on address 0x000000f4f6a8 at pc 0x000000533bd6 bp 0x7ffeafc6f390 sp 0x7ffeafc6f388
READ of size 8 at 0x000000f4f6a8 thread T0
    #0 0x533bd5 in io_del /home/runner/work/tinc/tinc/openssl3/../src/linux/event.c:104:9
    #1 0x4f4808 in close_network_connections /home/runner/work/tinc/tinc/openssl3/../src/net_setup.c:1283:3
    #2 0x4cea70 in main /home/runner/work/tinc/tinc/openssl3/../src/tincd.c:717:2
    #3 0x7f493a1d3d8f  (/lib/x86_64-linux-gnu/libc.so.6+0x29d8f)
    #4 0x7f493a1d3e3f in __libc_start_main (/lib/x86_64-linux-gnu/libc.so.6+0x29e3f)
    #5 0x421ac4 in _start (/home/runner/work/tinc/tinc/openssl3/src/tincd+0x421ac4)

0x000000f4f6a8 is located 8 bytes to the right of global variable 'listen_socket' defined in '../src/net_socket.c:48:17' (0xf4f0e0) of size 1472
SUMMARY: AddressSanitizer: global-buffer-overflow /home/runner/work/tinc/tinc/openssl3/../src/linux/event.c:104:9 in io_del
---

diff --git a/src/net_setup.c b/src/net_setup.c
index 2cd5818b..b88f5262 100644
--- a/src/net_setup.c
+++ b/src/net_setup.c
@@ -674,6 +674,7 @@ static bool add_listen_address(char *address, bool bindto) {
 		}
 
 		if(listen_sockets >= MAXSOCKETS) {
+			listen_sockets = MAXSOCKETS;
 			logger(DEBUG_ALWAYS, LOG_ERR, "Too many listening sockets");
 			freeaddrinfo(ai);
 			return false;
@@ -1095,6 +1096,7 @@ static bool setup_myself(void) {
 #endif
 
 		if(listen_sockets > MAXSOCKETS) {
+			listen_sockets = MAXSOCKETS;
 			logger(DEBUG_ALWAYS, LOG_ERR, "Too many listening sockets");
 			return false;
 		}