Download raw body.
net/igmpproxy: Fix buf. overflow and use after free
On Tue, Apr 22, 2025 at 09:39:46AM +0200, Jan Klemkow wrote:
> Hi,
>
> This diff adds local patches to fix a known buffer overflow [1] and a
> use after free[2]. Upstream is not very responsive. Thus, we have to
> patch this here for now.
>
> ok?
ok
You could also consider growing the unknown[20] array to 32 in addition
to switching to snprintf().
>
> bye,
> jan
>
> [1]: https://github.com/pali/igmpproxy/issues/97
> [2]: https://github.com/pali/igmpproxy/pull/98
>
> Index: Makefile
> ===================================================================
> RCS file: /cvs/ports/net/igmpproxy/Makefile,v
> diff -u -p -r1.26 Makefile
> --- Makefile 27 Sep 2023 14:18:09 -0000 1.26
> +++ Makefile 22 Apr 2025 07:31:02 -0000
> @@ -2,7 +2,7 @@ COMMENT = multicast router utilizing IGM
>
> V = 0.4
> DISTNAME = igmpproxy-${V}
> -REVISION = 0
> +REVISION = 1
>
> CATEGORIES = net
>
> Index: patches/patch-src_igmp_c
> ===================================================================
> RCS file: /cvs/ports/net/igmpproxy/patches/patch-src_igmp_c,v
> diff -u -p -r1.3 patch-src_igmp_c
> --- patches/patch-src_igmp_c 30 Oct 2022 10:07:56 -0000 1.3
> +++ patches/patch-src_igmp_c 22 Apr 2025 07:31:02 -0000
> @@ -1,6 +1,15 @@
> Index: src/igmp.c
> --- src/igmp.c.orig
> +++ src/igmp.c
> +@@ -94,7 +94,7 @@ static const char *igmpPacketKind(unsigned int type, u
> + case IGMP_V2_LEAVE_GROUP: return "Leave message ";
> +
> + default:
> +- sprintf(unknown, "unk: 0x%02x/0x%02x ", type, code);
> ++ snprintf(unknown, sizeof unknown, "unk: 0x%02x/0x%02x ", type, code);
> + return unknown;
> + }
> + }
> @@ -132,6 +132,7 @@ void acceptIgmp(int recvlen) {
> }
> else {
> Index: patches/patch-src_rttable_c
> ===================================================================
> RCS file: /cvs/ports/net/igmpproxy/patches/patch-src_rttable_c,v
> diff -u -p -r1.3 patch-src_rttable_c
> --- patches/patch-src_rttable_c 30 Oct 2022 10:07:56 -0000 1.3
> +++ patches/patch-src_rttable_c 22 Apr 2025 07:31:02 -0000
> @@ -404,7 +404,24 @@ Index: src/rttable.c
>
> // We append the activity counter to the age, and continue...
> croute->ageValue = croute->ageActivity;
> -@@ -718,39 +704,61 @@ int internAgeRoute(struct RouteTable* croute) {
> +@@ -704,13 +690,15 @@ int internAgeRoute(struct RouteTable* croute) {
> +
> + // No activity was registered within the timelimit, so remove the route.
> + removeRoute(croute);
> ++ croute = NULL;
> + }
> + // Tell that the route was updated...
> + result = 1;
> + }
> +
> + // The aging vif bits must be reset for each round...
> +- BIT_ZERO(croute->ageVifBits);
> ++ if (croute != NULL)
> ++ BIT_ZERO(croute->ageVifBits);
> +
> + return result;
> + }
> +@@ -718,39 +706,61 @@ int internAgeRoute(struct RouteTable* croute) {
> /**
> * Updates the Kernel routing table. If activate is 1, the route
> * is (re-)activated. If activate is false, the route is removed.
> @@ -480,7 +497,7 @@ Index: src/rttable.c
> }
>
> // Do the actual Kernel route update...
> -@@ -772,7 +780,7 @@ int internUpdateKernelRoute(struct RouteTable *route,
> +@@ -772,7 +782,7 @@ int internUpdateKernelRoute(struct RouteTable *route,
> */
> void logRouteTable(const char *header) {
> struct Config *conf = getCommonConfig();
> @@ -489,7 +506,7 @@ Index: src/rttable.c
> unsigned rcount = 0;
>
> my_log(LOG_DEBUG, 0, "");
> -@@ -781,30 +789,22 @@ void logRouteTable(const char *header) {
> +@@ -781,30 +791,22 @@ void logRouteTable(const char *header) {
> if(croute==NULL) {
> my_log(LOG_DEBUG, 0, "No routes in table...");
> } else {
>
net/igmpproxy: Fix buf. overflow and use after free