Blame SOURCES/0177-util-do-not-use-stack-frame-for-parsing-arbitrary-in.patch

a3e2b5
From a652268ae11633cf64c87586bed1fd3c7141707a Mon Sep 17 00:00:00 2001
a3e2b5
From: Yu Watanabe <watanabe.yu+github@gmail.com>
a3e2b5
Date: Wed, 22 Aug 2018 12:33:27 +0900
a3e2b5
Subject: [PATCH] util: do not use stack frame for parsing arbitrary inputs
a3e2b5
a3e2b5
This replaces strndupa() by strndup() in socket_address_parse(),
a3e2b5
as input string may be too long.
a3e2b5
a3e2b5
Fixes issue 10007 by ClusterFuzz-External:
a3e2b5
https://bugs.chromium.org/p/oss-fuzz/issues/detail?id=10007
a3e2b5
a3e2b5
(cherry picked from commit 8d30fcb9b51b1d102a589171b6e28f5f370236f6)
a3e2b5
a3e2b5
Resolves: #1696224
a3e2b5
---
a3e2b5
 src/basic/socket-util.c | 16 ++++++++++++----
a3e2b5
 1 file changed, 12 insertions(+), 4 deletions(-)
a3e2b5
a3e2b5
diff --git a/src/basic/socket-util.c b/src/basic/socket-util.c
a3e2b5
index a913102e13..3f90a81d35 100644
a3e2b5
--- a/src/basic/socket-util.c
a3e2b5
+++ b/src/basic/socket-util.c
a3e2b5
@@ -50,7 +50,8 @@ static const char* const socket_address_type_table[] = {
a3e2b5
 DEFINE_STRING_TABLE_LOOKUP(socket_address_type, int);
a3e2b5
 
a3e2b5
 int socket_address_parse(SocketAddress *a, const char *s) {
a3e2b5
-        char *e, *n;
a3e2b5
+        _cleanup_free_ char *n = NULL;
a3e2b5
+        char *e;
a3e2b5
         int r;
a3e2b5
 
a3e2b5
         assert(a);
a3e2b5
@@ -68,7 +69,9 @@ int socket_address_parse(SocketAddress *a, const char *s) {
a3e2b5
                 if (!e)
a3e2b5
                         return -EINVAL;
a3e2b5
 
a3e2b5
-                n = strndupa(s+1, e-s-1);
a3e2b5
+                n = strndup(s+1, e-s-1);
a3e2b5
+                if (!n)
a3e2b5
+                        return -ENOMEM;
a3e2b5
 
a3e2b5
                 errno = 0;
a3e2b5
                 if (inet_pton(AF_INET6, n, &a->sockaddr.in6.sin6_addr) <= 0)
a3e2b5
@@ -125,7 +128,10 @@ int socket_address_parse(SocketAddress *a, const char *s) {
a3e2b5
                 if (r < 0)
a3e2b5
                         return r;
a3e2b5
 
a3e2b5
-                n = strndupa(cid_start, e - cid_start);
a3e2b5
+                n = strndup(cid_start, e - cid_start);
a3e2b5
+                if (!n)
a3e2b5
+                        return -ENOMEM;
a3e2b5
+
a3e2b5
                 if (!isempty(n)) {
a3e2b5
                         r = safe_atou(n, &a->sockaddr.vm.svm_cid);
a3e2b5
                         if (r < 0)
a3e2b5
@@ -146,7 +152,9 @@ int socket_address_parse(SocketAddress *a, const char *s) {
a3e2b5
                         if (r < 0)
a3e2b5
                                 return r;
a3e2b5
 
a3e2b5
-                        n = strndupa(s, e-s);
a3e2b5
+                        n = strndup(s, e-s);
a3e2b5
+                        if (!n)
a3e2b5
+                                return -ENOMEM;
a3e2b5
 
a3e2b5
                         /* IPv4 in w.x.y.z:p notation? */
a3e2b5
                         r = inet_pton(AF_INET, n, &a->sockaddr.in.sin_addr);