address: fix buffer overflow

Update tests to work on Debian 11.
dlundquist · Mar 17, 2023 · f8d9a43 · f8d9a43
1 parent 822bb80
commit f8d9a43
Show file tree

Hide file tree

Showing 10 changed files with 37 additions and 6 deletions.
diff --git a/ChangeLog b/ChangeLog
@@ -1,3 +1,9 @@
+2023-03-16  Dustin Lundquist <dustin@null-ptr.net>
+	0.6.1 Release
+
+	* Fix buffer overflow in address module
+	* Fix tests
+
 2018-12-05  Dustin Lundquist <dustin@null-ptr.net>
 	0.6.0 Release
 

diff --git a/configure.ac b/configure.ac
@@ -2,7 +2,7 @@
 # Process this file with autoconf to produce a configure script.
 
 AC_PREREQ([2.60])
-AC_INIT([sniproxy], [0.6.0])
+AC_INIT([sniproxy], [0.6.1])
 AC_CONFIG_SRCDIR([src/sniproxy.c])
 AC_CONFIG_MACRO_DIR([m4])
 AM_INIT_AUTOMAKE([subdir-objects])

diff --git a/debian/changelog b/debian/changelog
@@ -1,3 +1,10 @@
+sniproxy (0.6.1) unstable; urgency=high
+
+  * Fix buffer overflow in address module
+  * Fix tests
+
+ -- Dustin Lundquist <dustin@null-ptr.net>  Thu, 16 Mar 2023 21:53:48 -0700
+
 sniproxy (0.6.0) unstable; urgency=medium
 
   * PROXY v1 protocol support
@@ -10,7 +17,7 @@ sniproxy (0.6.0) unstable; urgency=medium
 sniproxy (0.5.0) unstable; urgency=medium
 
   * Transparent proxy support
-  * Use accept4() on Linix
+  * Use accept4() on Linux
   * Run as group specified in config
 
  -- Dustin Lundquist <dustin@null-ptr.net>  Wed, 26 Apr 2017 07:17:13 -0700

diff --git a/debian/compat b/debian/compat
@@ -1 +1 @@
-8
+10
diff --git a/redhat/sniproxy.spec b/redhat/sniproxy.spec
@@ -1,5 +1,5 @@
 Name: sniproxy
-Version: 0.6.0
+Version: 0.6.1
 Release: 1%{?dist}
 Summary: Transparent TLS and HTTP layer 4 proxy with SNI support
 
@@ -46,6 +46,10 @@ rm -rf $RPM_BUILD_ROOT
 
 
 %changelog
+* Thu Mar 16 2023 Dustin Lundquist <dustin@null-ptr.net 0.6.1-1
+- Fix buffer overflow in address module
+- Fix tests
+
 * Wed Dec 5 2018 Dustin Lundquist <dustin@null-ptr.net> 0.6.0-1
 - PROXY v1 protocol support
 - SO_REUSEPORT support on Linux 3.9 and later

diff --git a/setver.sh b/setver.sh
@@ -1,6 +1,6 @@
 #!/bin/sh
 
-VERSION=0.6.0
+VERSION=0.6.1
 
 SOURCE_DIR=$(dirname $0)
 GIT_DIR=${SOURCE_DIR}/.git

diff --git a/src/address.c b/src/address.c
@@ -148,6 +148,8 @@ new_address(const char *hostname_or_ip) {
     if (hostname_or_ip[0] == '[' &&
             (port = strchr(hostname_or_ip, ']')) != NULL) {
         len = (size_t)(port - hostname_or_ip - 1);
+        if (len >= INET6_ADDRSTRLEN)
+            return NULL;
 
         /* inet_pton() will not parse the IP correctly unless it is in a
          * separate string.

diff --git a/tests/Makefile.am b/tests/Makefile.am
@@ -1,6 +1,8 @@
 AM_CPPFLAGS = -I$(top_srcdir)/src -g $(LIBEV_CFLAGS) $(LIBPCRE_CFLAGS) $(LIBUDNS_CFLAGS)
 AM_CFLAGS = -fno-strict-aliasing -Wall -Wextra -Wpedantic -Wwrite-strings
 
+.NOTPARALLEL:
+
 TESTS = address_test \
         buffer_test \
         cfg_tokenizer_test \

diff --git a/tests/bad_dns_request_test b/tests/bad_dns_request_test
@@ -35,6 +35,11 @@ my $bad_requests = [
         request => "GET / HTTP/1.1\r\nHost: \0example.com\r\n\r\n",
         client => \&http_client,
     },
+    {
+        # Exceed hostname buffer size
+        request => "GET / HTTP/1.1\r\nHost: [" . 'long.' x 60 . "example.com]\r\n\r\n",
+        client => \&http_client,
+    },
     {
         # Test client aborting connection before DNS response received
         request => "GET / HTTP/1.1\r\nHost: example.com\r\n\r\n",

diff --git a/tests/slow_client_test b/tests/slow_client_test
@@ -31,11 +31,16 @@ sub slow_client($$) {
     my $socket = IO::Socket::INET->new(PeerAddr => '127.0.0.1',
             PeerPort => $port,
             Proto => "tcp",
-            Type => SOCK_STREAM)
+            Type => SOCK_STREAM,
+            Timeout => 5)
         or die "couldn't connect $!";
 
     $socket->send($request);
     foreach (split("\r\n", $request)) {
+        unless ($socket->connected()) {
+            print "Disconnected\n";
+            exit(0);
+        }
         $socket->send("$_\r\n");
         sleep(1);
     }