From 373f49f0813ffa3476c5f9d59f06c1cbd220d64c Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?Oto=20=C5=A0=C5=A5=C3=A1va?= <oto.stava@nic.cz>
Date: Thu, 20 Oct 2022 13:06:31 +0200
Subject: [PATCH] daemon/network: fix heap-buffer-overflow in endpoint key
 generation

Reproducible by listening on an interface by name, ASAN reports a
heap-buffer-overflow. This was a regression caused by !1286, which did
not account for null-terminators properly.
---
 daemon/network.c | 7 ++++++-
 1 file changed, 6 insertions(+), 1 deletion(-)

diff --git a/daemon/network.c b/daemon/network.c
index 66809dfff..1a54a4f85 100644
--- a/daemon/network.c
+++ b/daemon/network.c
@@ -302,6 +302,8 @@ void network_deinit(struct network *net)
 	}
 }
 
+/** Creates an endpoint key for use with a `trie_t` and stores it into `dst`.
+ * Returns the actual length of the generated key. */
 static ssize_t endpoint_key_create(struct endpoint_key_storage *dst,
                                    const char *addr_str,
                                    const struct sockaddr *sa)
@@ -317,8 +319,11 @@ static ssize_t endpoint_key_create(struct endpoint_key_storage *dst,
 	} else {
 		struct endpoint_key_ifname *key = &dst->ifname;
 		key->type = ENDPOINT_KEY_IFNAME;
+
+		/* The subtractions and additions of 1 are here to account for
+		 * null-terminators. */
 		strncpy(key->ifname, addr_str, sizeof(key->ifname) - 1);
-		return sizeof(struct endpoint_key) + strnlen(key->ifname, sizeof(key->ifname));
+		return sizeof(struct endpoint_key) + strlen(key->ifname) + 1;
 	}
 }
 
-- 
GitLab