From 160e8fb6ca1b33387f30f7a6aa9159015ffda9d0 Mon Sep 17 00:00:00 2001 From: Evgeny Vereshchagin Date: Sun, 22 Oct 2023 10:31:31 +0000 Subject: [PATCH] core: copy resource records with zero-length rdata properly It fixes the crash spotted https://github.com/lathiat/avahi/pull/490#issuecomment-1773019619. The fuzz target was updated to exercise those code paths (among other things). Without this commit it crashes with ``` fuzz-consume-record: malloc.c:250: void *avahi_memdup(const void *, size_t): Assertion `s' failed. ==72869== ERROR: libFuzzer: deadly signal #0 0x5031b5 in __sanitizer_print_stack_trace (avahi/out/fuzz-consume-record+0x5031b5) (BuildId: 69840d811c9ba9f74eea21e34786a2005c5dcc06) #1 0x45cd6c in fuzzer::PrintStackTrace() (avahi/out/fuzz-consume-record+0x45cd6c) (BuildId: 69840d811c9ba9f74eea21e34786a2005c5dcc06) #2 0x441c47 in fuzzer::Fuzzer::CrashCallback() (out/fuzz-consume-record+0x441c47) (BuildId: 69840d811c9ba9f74eea21e34786a2005c5dcc06) #3 0x7f189e97ebaf (/lib64/libc.so.6+0x3dbaf) (BuildId: 3ebe8d97a0ed3e1f13476a02665c5a9442adcd78) #4 0x7f189e9cf883 in __pthread_kill_implementation (/lib64/libc.so.6+0x8e883) (BuildId: 3ebe8d97a0ed3e1f13476a02665c5a9442adcd78) #5 0x7f189e97eafd in gsignal (/lib64/libc.so.6+0x3dafd) (BuildId: 3ebe8d97a0ed3e1f13476a02665c5a9442adcd78) #6 0x7f189e96787e in abort (/lib64/libc.so.6+0x2687e) (BuildId: 3ebe8d97a0ed3e1f13476a02665c5a9442adcd78) #7 0x7f189e96779a in __assert_fail_base.cold (/lib64/libc.so.6+0x2679a) (BuildId: 3ebe8d97a0ed3e1f13476a02665c5a9442adcd78) #8 0x7f189e977186 in __assert_fail (/lib64/libc.so.6+0x36186) (BuildId: 3ebe8d97a0ed3e1f13476a02665c5a9442adcd78) #9 0x557bfc in avahi_memdup avahi/avahi-common/malloc.c:250:5 #10 0x54895c in avahi_record_copy avahi/avahi-core/rr.c:469:45 ``` --- avahi-core/rr.c | 3 ++- 1 file changed, 2 insertions(+), 1 deletion(-) diff --git a/avahi-core/rr.c b/avahi-core/rr.c index 7fa0bee..2bb8924 100644 --- a/avahi-core/rr.c +++ b/avahi-core/rr.c @@ -426,6 +426,7 @@ AvahiRecord *avahi_record_copy(AvahiRecord *r) { copy->ref = 1; copy->key = avahi_key_ref(r->key); copy->ttl = r->ttl; + memset(©->data, 0, sizeof(copy->data)); switch (r->key->type) { case AVAHI_DNS_TYPE_PTR: @@ -466,7 +467,7 @@ AvahiRecord *avahi_record_copy(AvahiRecord *r) { break; default: - if (!(copy->data.generic.data = avahi_memdup(r->data.generic.data, r->data.generic.size))) + if (r->data.generic.size && !(copy->data.generic.data = avahi_memdup(r->data.generic.data, r->data.generic.size))) goto fail; copy->data.generic.size = r->data.generic.size; break; -- 2.41.0