Fix buffer overflow and use after free.

younix · younix · commit a4dc95df15b7 · 2025-04-22T09:08:26.000Z
Upstream requests: pali/igmpproxy#98 pali/igmpproxy#99 ok tb@
diff --git a/net/igmpproxy/Makefile b/net/igmpproxy/Makefile
@@ -2,7 +2,7 @@ COMMENT =	multicast router utilizing IGMP forwarding
 
 V =		0.4
 DISTNAME =	igmpproxy-${V}
-REVISION =	0
+REVISION =	1
 
 CATEGORIES =	net
 
diff --git a/net/igmpproxy/patches/patch-src_igmp_c b/net/igmpproxy/patches/patch-src_igmp_c
@@ -1,6 +1,24 @@
 Index: src/igmp.c
 --- src/igmp.c.orig
 +++ src/igmp.c
+@@ -84,7 +84,7 @@ void initIgmp(void) {
+ *   Finds the textual name of the supplied IGMP request.
+ */
+ static const char *igmpPacketKind(unsigned int type, unsigned int code) {
+-    static char unknown[20];
++    static char unknown[32];
+ 
+     switch (type) {
+     case IGMP_MEMBERSHIP_QUERY:     return  "Membership query  ";
+@@ -94,7 +94,7 @@ static const char *igmpPacketKind(unsigned int type, u
+     case IGMP_V2_LEAVE_GROUP:        return "Leave message     ";
+ 
+     default:
+-        sprintf(unknown, "unk: 0x%02x/0x%02x    ", type, code);
++        snprintf(unknown, sizeof unknown, "unk: 0x%02x/0x%02x    ", type, code);
+         return unknown;
+     }
+ }
 @@ -132,6 +132,7 @@ void acceptIgmp(int recvlen) {
          }
          else {
diff --git a/net/igmpproxy/patches/patch-src_rttable_c b/net/igmpproxy/patches/patch-src_rttable_c
@@ -404,7 +404,24 @@ Index: src/rttable.c
  
              // We append the activity counter to the age, and continue...
              croute->ageValue = croute->ageActivity;
-@@ -718,39 +704,61 @@ int internAgeRoute(struct RouteTable*  croute) {
+@@ -704,13 +690,15 @@ int internAgeRoute(struct RouteTable*  croute) {
+ 
+             // No activity was registered within the timelimit, so remove the route.
+             removeRoute(croute);
++            croute = NULL;
+         }
+         // Tell that the route was updated...
+         result = 1;
+     }
+ 
+     // The aging vif bits must be reset for each round...
+-    BIT_ZERO(croute->ageVifBits);
++    if (croute != NULL)
++        BIT_ZERO(croute->ageVifBits);
+ 
+     return result;
+ }
+@@ -718,39 +706,61 @@ int internAgeRoute(struct RouteTable*  croute) {
  /**
  *   Updates the Kernel routing table. If activate is 1, the route
  *   is (re-)activated. If activate is false, the route is removed.
@@ -480,7 +497,7 @@ Index: src/rttable.c
          }
  
          // Do the actual Kernel route update...
-@@ -772,7 +780,7 @@ int internUpdateKernelRoute(struct RouteTable *route, 
+@@ -772,7 +782,7 @@ int internUpdateKernelRoute(struct RouteTable *route, 
  */
  void logRouteTable(const char *header) {
          struct Config       *conf = getCommonConfig();
@@ -489,7 +506,7 @@ Index: src/rttable.c
          unsigned            rcount = 0;
  
          my_log(LOG_DEBUG, 0, "");
-@@ -781,30 +789,22 @@ void logRouteTable(const char *header) {
+@@ -781,30 +791,22 @@ void logRouteTable(const char *header) {
          if(croute==NULL) {
              my_log(LOG_DEBUG, 0, "No routes in table...");
          } else {
