Commit: 38c28fd6383a75062944b3b5062d7974eb65425d
Parent: 26becbaf953eac6691a425521dd41bdc108c363c
Author: opask
Date: Thu, 30 Aug 2018 20:01:12 -0600
dns.c: remove dangerously misused strcpy(); update TODO
Diffstat:
2 files changed, 10 insertions(+), 9 deletions(-)
diff --git a/TODO b/TODO
@@ -44,3 +44,8 @@
- remove get_links_icon() in dip.c
- remove remaining terminal margin modifying code
+
+- name member in dnsentry and dnsquery structures was never a string yet it is
+ being (mis)used as one. there are a number of places where this results in
+ use of out of bounds memory. these NEED to be fixed, its amazing the code
+ ever worked at all
diff --git a/dns.c b/dns.c
@@ -12,7 +12,7 @@ struct dnsentry {
uttime absolute_time;
struct lookup_result addr;
list_entry_last
- unsigned char name[1];
+ char name;
};
struct dnsquery {
@@ -22,7 +22,7 @@ struct dnsquery {
struct dnsquery **s;
struct lookup_result *addr;
int addr_preference;
- unsigned char name[1];
+ char name;
};
static int dns_cache_addr_preference = -1;
@@ -311,7 +311,6 @@ static void free_dns_entry(struct dnsentry *dnsentry)
static void end_dns_lookup(struct dnsquery *q, int a)
{
struct dnsentry *dnsentry;
- size_t sl;
void (*fn)(void *, int);
void *data;
if (!q->fn || !q->addr) {
@@ -331,11 +330,8 @@ static void end_dns_lookup(struct dnsquery *q, int a)
if (q->addr_preference != ipv6_options.addr_preference)
goto e;
check_dns_cache_addr_preference();
- sl = strlen(cast_const_char q->name);
- if (sl > INT_MAX - sizeof(struct dnsentry))
- overalloc();
- dnsentry = xmalloc(sizeof(struct dnsentry) + sl);
- strcpy(cast_char dnsentry->name, cast_const_char q->name);
+ dnsentry = xmalloc(sizeof(struct dnsentry));
+ dnsentry->name = q->name;
memcpy(&dnsentry->addr, q->addr, sizeof(struct lookup_result));
dnsentry->absolute_time = get_absolute_time();
add_to_list(dns_cache, dnsentry);
@@ -364,7 +360,7 @@ int find_host_no_cache(unsigned char *name, struct lookup_result *addr, void **q
q->s = (struct dnsquery **)qp;
q->addr = addr;
q->addr_preference = ipv6_options.addr_preference;
- strcpy(cast_char q->name, cast_const_char name);
+ q->name = name[0];
if (qp)
*qp = q;
return do_queued_lookup(q);