From 23a66e632d73fa3c2bd56d1c8b4a8d36a79919a0 Mon Sep 17 00:00:00 2001 From: Richard Patel Date: Sun, 5 Jan 2025 16:43:10 +0000 Subject: [PATCH] Fix memcpy UB in fd_pcapng Fixes a memcpy call with a NULL pointer --- src/util/net/fd_pcapng.c | 19 +++++++++++++++---- 1 file changed, 15 insertions(+), 4 deletions(-) diff --git a/src/util/net/fd_pcapng.c b/src/util/net/fd_pcapng.c index a34e0ea7fd..1c129cec41 100644 --- a/src/util/net/fd_pcapng.c +++ b/src/util/net/fd_pcapng.c @@ -549,11 +549,22 @@ fd_pcapng_iter_err( fd_pcapng_iter_t const * iter ) { } \ *(ushort *)( buf+cursor ) = ( (ushort)(t) ); cursor+=2UL; \ *(ushort *)( buf+cursor ) = ( (ushort)_sz ); cursor+=2UL; \ - fd_memcpy ( buf+cursor, (v), _sz ); \ - fd_memset ( buf+cursor+_sz, 0, _sz_align-_sz ); \ + if( _sz ) fd_memcpy( buf+cursor, (v), _sz ); \ + fd_memset( buf+cursor+_sz, 0, _sz_align-_sz ); \ cursor+=_sz_align; \ } while(0); +#define FD_PCAPNG_FWRITE_NULLOPT() \ + do { \ + if( FD_UNLIKELY( cursor+4UL > FD_PCAPNG_BLOCK_SZ ) ) { \ + FD_LOG_WARNING(( "oversz pcapng block" )); \ + return 0UL; \ + } \ + fd_memset( buf+cursor, 0, 4UL ); \ + cursor+=4UL; \ + } while(0); + + /* FD_PCAPNG_FWRITE_BLOCK_TERM terminates a block buffer being serialized in the context of an fwrite-style function. */ @@ -591,7 +602,7 @@ fd_pcapng_fwrite_shb( fd_pcapng_shb_opts_t const * opt, if( opt->os ) FD_PCAPNG_FWRITE_OPT( FD_PCAPNG_SHB_OPT_OS, strlen( opt->os ), opt->os ); if( opt->userappl ) FD_PCAPNG_FWRITE_OPT( FD_PCAPNG_SHB_OPT_USERAPPL, strlen( opt->userappl ), opt->userappl ); } - FD_PCAPNG_FWRITE_OPT( 0, 0, NULL ); + FD_PCAPNG_FWRITE_NULLOPT(); FD_PCAPNG_FWRITE_BLOCK_TERM(); @@ -634,7 +645,7 @@ fd_pcapng_fwrite_idb( uint link_type, FD_PCAPNG_FWRITE_OPT( FD_PCAPNG_IDB_OPT_HARDWARE, fd_cstr_nlen( opt->hardware, 64UL ), opt->hardware ); } - FD_PCAPNG_FWRITE_OPT( 0, 0, NULL ); + FD_PCAPNG_FWRITE_NULLOPT(); FD_PCAPNG_FWRITE_BLOCK_TERM();