If user queries a name without a domain then an uninitialized
memory read happens.
Log from valgrind:
connmand[28380]: src/dnsproxy.c:parse_response() qr 1 qdcount 1
==28380== Conditional jump or move depends on uninitialised value(s)
==28380== at 0x4009777: strlen (mc_replace_strmem.c:403)
==28380== by 0x4D65A73E: g_strdup (gstrfuncs.c:355)
==28380== by 0x80C6B45: cache_update.isra.2 (dnsproxy.c:1110)
==28380== by 0x80C6FE9: forward_dns_reply (dnsproxy.c:1800)
==28380== by 0x80C7368: udp_server_event (dnsproxy.c:1909)
==28380== by 0x4D67F2BE: g_io_unix_dispatch (giounix.c:166)
==28380== by 0x4D63D0BA: g_main_context_dispatch (gmain.c:2539)
==28380== by 0x4D63D45F: g_main_context_iterate.isra.21 (gmain.c:3146)
==28380== by 0x4D63D8C2: g_main_loop_run (gmain.c:3340)
==28380== by 0x805416C: main (main.c:693)
---
src/dnsproxy.c | 2 ++
1 file changed, 2 insertions(+)
diff --git a/src/dnsproxy.c b/src/dnsproxy.c
index c4d5f14..7c83883 100644
--- a/src/dnsproxy.c
+++ b/src/dnsproxy.c
@@ -1005,6 +1005,8 @@ static int parse_response(unsigned char *buf, int buflen,
*response_len = 0;
*answers = 0;
+ memset(name, 0, sizeof(name));
+
/*
* We have a bunch of answers (like A, AAAA, CNAME etc) to
* A or AAAA question. We traverse the answers and parse the
--
1.8.3.1
_______________________________________________
connman mailing list
[email protected]
https://lists.connman.net/mailman/listinfo/connman
