From 1b0f134888b1d6c9acda938fb654cd4dfd295167 Mon Sep 17 00:00:00 2001 From: Guus Sliepen Date: Tue, 28 Apr 2020 20:20:45 +0200 Subject: [PATCH] Fix a potential read from a freed buffer when sending data to a blacklisted node. --- src/meshlink.c | 7 ++++--- 1 file changed, 4 insertions(+), 3 deletions(-) diff --git a/src/meshlink.c b/src/meshlink.c index 72f484db..4569c9f5 100644 --- a/src/meshlink.c +++ b/src/meshlink.c @@ -1950,7 +1950,7 @@ void meshlink_set_error_cb(struct meshlink_handle *mesh, meshlink_error_cb_t cb) static bool prepare_packet(meshlink_handle_t *mesh, meshlink_node_t *destination, const void *data, size_t len, vpn_packet_t *packet) { meshlink_packethdr_t *hdr; - if(len >= MAXSIZE - sizeof(*hdr)) { + if(len > MAXSIZE - sizeof(*hdr)) { meshlink_errno = MESHLINK_EINVAL; return false; } @@ -1972,8 +1972,8 @@ static bool prepare_packet(meshlink_handle_t *mesh, meshlink_node_t *destination memset(hdr, 0, sizeof(*hdr)); // leave the last byte as 0 to make sure strings are always // null-terminated if they are longer than the buffer - strncpy((char *)hdr->destination, destination->name, (sizeof(hdr)->destination) - 1); - strncpy((char *)hdr->source, mesh->self->name, (sizeof(hdr)->source) - 1); + strncpy((char *)hdr->destination, destination->name, sizeof(hdr->destination) - 1); + strncpy((char *)hdr->source, mesh->self->name, sizeof(hdr->source) - 1); memcpy(packet->data + sizeof(*hdr), data, len); @@ -2023,6 +2023,7 @@ bool meshlink_send(meshlink_handle_t *mesh, meshlink_node_t *destination, const if(!prepare_packet(mesh, destination, data, len, packet)) { free(packet); + return false; } // Queue it -- 2.39.2