socket: fix possible buffer overflow in listen_port()

At some point in listen_port(), we memcpy() the IP address -- ai_addr field (struct sockaddr), but used, as the size, the ai_addrlen field from ptr, which is struct addrinfo. This means that, for IPv4, we had ai_addrlen being 16, while for IPv6, it was 28. The problem is that we copy this address to a struct sockaddr, which has sizeof 16. This issue was exposed by running this under i686 with D_FORTIFY_SOURCE enabled, as we got a buffer overflow upon starting. This commit changes the memcpy() call to use the correct size for the destination memory area.
latchset · May 5, 2023 · 9b9d149 · 9b9d149
1 parent 5631569
commit 9b9d149
Showing 1 changed file with 1 addition and 3 deletions.
diff --git a/src/socket.c b/src/socket.c
@@ -38,7 +38,6 @@ typedef struct socket_list {
 	int s;
 	int family;
 	struct sockaddr addr;
-	socklen_t addrlen;
 	struct socket_list *next;
 } socket_list;
 
@@ -130,8 +129,7 @@ static int listen_port(socket_list **slist, int port)
 		}
 		lm->s = s;
 		lm->family = ptr->ai_family;
-		lm->addrlen = ptr->ai_addrlen;
-		memcpy(&lm->addr, ptr->ai_addr, ptr->ai_addrlen);
+		memcpy(&lm->addr, ptr->ai_addr, sizeof(*ptr->ai_addr));
 		lm->next = *slist;
 		*slist = lm;
 	}