Message ID | 20190902202949.27053-1-hauke@hauke-m.de |
---|---|
State | Accepted |
Headers | show |
Series | [OpenWrt-Devel] odhcpd: router: Fix out of scope memory access | expand |
On Mon, Sep 2, 2019 at 10:30 PM Hauke Mehrtens <hauke@hauke-m.de> wrote: > > A pointer to search_buf is accessed by search_domain outside of the > if branch which defines search_buf. The compiler could already reuse > this memory. > > Coverity: #1445747 > Signed-off-by: Hauke Mehrtens <hauke@hauke-m.de> > --- Patch applied; thx Hans > src/router.c | 3 +-- > 1 file changed, 1 insertion(+), 2 deletions(-) > > diff --git a/src/router.c b/src/router.c > index 07dd146..700e1ff 100644 > --- a/src/router.c > +++ b/src/router.c > @@ -607,6 +607,7 @@ static int send_router_advert(struct interface *iface, const struct in6_addr *fr > struct in6_addr dns_pref, *dns_addr = NULL; > size_t dns_cnt = 0, search_len = iface->search_len; > uint8_t *search_domain = iface->search; > + uint8_t search_buf[256]; > > /* DNS Recursive DNS */ > if (iface->dns_cnt > 0) { > @@ -630,8 +631,6 @@ static int send_router_advert(struct interface *iface, const struct in6_addr *fr > > /* DNS Search options */ > if (!search_domain && !res_init() && _res.dnsrch[0] && _res.dnsrch[0][0]) { > - uint8_t search_buf[256]; > - > int len = dn_comp(_res.dnsrch[0], search_buf, > sizeof(search_buf), NULL, NULL); > if (len > 0) { > -- > 2.20.1 > > > _______________________________________________ > openwrt-devel mailing list > openwrt-devel@lists.openwrt.org > https://lists.openwrt.org/mailman/listinfo/openwrt-devel
diff --git a/src/router.c b/src/router.c index 07dd146..700e1ff 100644 --- a/src/router.c +++ b/src/router.c @@ -607,6 +607,7 @@ static int send_router_advert(struct interface *iface, const struct in6_addr *fr struct in6_addr dns_pref, *dns_addr = NULL; size_t dns_cnt = 0, search_len = iface->search_len; uint8_t *search_domain = iface->search; + uint8_t search_buf[256]; /* DNS Recursive DNS */ if (iface->dns_cnt > 0) { @@ -630,8 +631,6 @@ static int send_router_advert(struct interface *iface, const struct in6_addr *fr /* DNS Search options */ if (!search_domain && !res_init() && _res.dnsrch[0] && _res.dnsrch[0][0]) { - uint8_t search_buf[256]; - int len = dn_comp(_res.dnsrch[0], search_buf, sizeof(search_buf), NULL, NULL); if (len > 0) {
A pointer to search_buf is accessed by search_domain outside of the if branch which defines search_buf. The compiler could already reuse this memory. Coverity: #1445747 Signed-off-by: Hauke Mehrtens <hauke@hauke-m.de> --- src/router.c | 3 +-- 1 file changed, 1 insertion(+), 2 deletions(-)