From 9b9d14973aa1e5b2290595a6b53e67c2f4e0369f Mon Sep 17 00:00:00 2001
From: Sergio Correia <scorreia@redhat.com>
Date: Fri, 5 May 2023 08:14:35 -0300
Subject: [PATCH] socket: fix possible buffer overflow in listen_port()

At some point in listen_port(), we memcpy() the IP address -- ai_addr
field (struct sockaddr), but used, as the size, the ai_addrlen field
from ptr, which is struct addrinfo.

This means that, for IPv4, we had ai_addrlen being 16, while for IPv6,
it was 28. The problem is that we copy this address to a struct
sockaddr, which has sizeof 16.

This issue was exposed by running this under i686 with D_FORTIFY_SOURCE
enabled, as we got a buffer overflow upon starting.

This commit changes the memcpy() call to use the correct size for the
destination memory area.
---
 src/socket.c | 4 +---
 1 file changed, 1 insertion(+), 3 deletions(-)

diff --git a/src/socket.c b/src/socket.c
index b89f8eb..bae7db9 100644
--- a/src/socket.c
+++ b/src/socket.c
@@ -38,7 +38,6 @@ typedef struct socket_list {
 	int s;
 	int family;
 	struct sockaddr addr;
-	socklen_t addrlen;
 	struct socket_list *next;
 } socket_list;
 
@@ -130,8 +129,7 @@ static int listen_port(socket_list **slist, int port)
 		}
 		lm->s = s;
 		lm->family = ptr->ai_family;
-		lm->addrlen = ptr->ai_addrlen;
-		memcpy(&lm->addr, ptr->ai_addr, ptr->ai_addrlen);
+		memcpy(&lm->addr, ptr->ai_addr, sizeof(*ptr->ai_addr));
 		lm->next = *slist;
 		*slist = lm;
 	}