Skip to content
Permalink
Browse files Browse the repository at this point in the history
[misc] Fix use-after-free in net_bind()
Thanks to Ba Jinsheng for reporting this bug
  • Loading branch information
ejurgensen committed Jul 30, 2021
1 parent dc8e661 commit 246d8ae
Showing 1 changed file with 13 additions and 5 deletions.
18 changes: 13 additions & 5 deletions src/misc.c
Expand Up @@ -251,6 +251,8 @@ net_bind(short unsigned *port, int type, const char *log_service_name)
struct addrinfo hints = { 0 };
struct addrinfo *servinfo;
struct addrinfo *ptr;
union net_sockaddr naddr = { 0 };
socklen_t naddr_len = sizeof(naddr);
const char *cfgaddr;
char addr[INET6_ADDRSTRLEN];
char strport[8];
Expand Down Expand Up @@ -314,16 +316,22 @@ net_bind(short unsigned *port, int type, const char *log_service_name)
goto error;
}

// Get the port that was assigned
ret = getsockname(fd, ptr->ai_addr, &ptr->ai_addrlen);
// Get our address (as string) and the port that was assigned (necessary when
// caller didn't specify a port)
ret = getsockname(fd, &naddr.sa, &naddr_len);
if (ret < 0)
{
DPRINTF(E_LOG, L_MISC, "Could not find address of service '%s': %s\n", log_service_name, strerror(errno));
DPRINTF(E_LOG, L_MISC, "Error finding address of service '%s': %s\n", log_service_name, strerror(errno));
goto error;
}
else if (naddr_len > sizeof(naddr))
{
DPRINTF(E_LOG, L_MISC, "Unexpected address length of service '%s'\n", log_service_name);
goto error;
}

net_port_get(port, (union net_sockaddr *)ptr->ai_addr);
net_address_get(addr, sizeof(addr), (union net_sockaddr *)ptr->ai_addr);
net_port_get(port, &naddr);
net_address_get(addr, sizeof(addr), &naddr);

DPRINTF(E_DBG, L_MISC, "Service '%s' bound to %s, port %hu, socket %d\n", log_service_name, addr, *port, fd);

Expand Down

0 comments on commit 246d8ae

Please sign in to comment.