[netifd] interface-ip:fix memory corruption bug when setting resolv.conf path

Mon, 06 Dec 2021 19:40:24 -0800 

From: Junnan XU <nan1990...@163.com>

The value of the resolv_conf variable can be specified by input parameters
when netifd is started.So when the length of the resolv_conf variable value
is less than "/tmp/resolv.conf-%s.d/resolv.conf.auto", the memory
out-of-bounds operation will occur in interface_write_resolv_conf
function.

Signed-off-by: Junnan XU <nan1990...@163.com>
---
 interface-ip.c | 5 ++++-
 1 file changed, 4 insertions(+), 1 deletion(-)

diff --git a/interface-ip.c b/interface-ip.c
index 7b63ef9..2934575 100644
--- a/interface-ip.c
+++ b/interface-ip.c
@@ -1545,7 +1545,10 @@ __interface_write_dns_entries(FILE *f, const char *jail) 
 void
 interface_write_resolv_conf(const char *jail)
 {
-       size_t plen = (jail ? strlen(jail) + 1 : 0 ) + strlen(resolv_conf) + 1;
+       size_t resolv_conf_len = strlen(resolv_conf);
+ size_t tmp_resolve_conf_len = strlen("/tmp/resolv.conf-.d/resolv.conf.auto"); + size_t plen = (jail ? strlen(jail) + 1 : 0) + (resolv_conf_len > tmp_resolve_conf_len ? 
+               resolv_conf_len : tmp_resolve_conf_len) + 1;
        char *path = alloca(plen);
        char *dpath = alloca(plen);
        char *tmppath = alloca(plen + 4);
--
2.25.1


_______________________________________________
openwrt-devel mailing list
openwrt-devel@lists.openwrt.org
https://lists.openwrt.org/mailman/listinfo/openwrt-devel

Reply via email to