topic Re: Bug report: Memory overflow in ifdns in MQX Software Solutions

Bug report: Memory overflow in ifdns

chrissolomon — Wed, 23 Apr 2014 21:54:37 GMT

Hi,

In MQX 4.0.1 (possibly later, haven't checked) there is an off by one error in rtcs/source/if/ifdns.c, in the function DNS_insert_slist_entry.

Original code snippit:

(starts at line 254)

if (usr_slist_entry_ptr->NAME_PTR)

{

tmp_str = RTCS_mem_alloc_system( strlen(usr_slist_entry_ptr->NAME_PTR) );

if (tmp_str == NULL)

return RTCSERR_DNS_UNABLE_TO_ALLOCATE_MEMORY;

strcpy(tmp_str, usr_slist_entry_ptr->NAME_PTR);

}

The problem is strlen gives the length of the string NOT INCLUDING THE NULL TERMINATION, where as strcpy copies including the null termination.

My fix:

if (usr_slist_entry_ptr->NAME_PTR)

{

tmp_str = RTCS_mem_alloc_system( strlen(usr_slist_entry_ptr->NAME_PTR) + 1 );

if (tmp_str == NULL)

return RTCSERR_DNS_UNABLE_TO_ALLOCATE_MEMORY;

strcpy(tmp_str, usr_slist_entry_ptr->NAME_PTR);

}

It's a simple fix, and for the most part it wont cause any problem, unless the string length happens to fit in the allocation block perfectly, then the first byte of the next blocks header will be zeroed, with unpredictable results.

Re: Bug report: Memory overflow in ifdns

danielchen — Mon, 28 Apr 2014 06:21:49 GMT

Thank you for reporting this, I will forward your post to software team.

Have a great day,
Daniel

-----------------------------------------------------------------------------------------------------------------------
Note: If this post answers your question, please click the Correct Answer button. Thank you!
-----------------------------------------------------------------------------------------------------------------------

Re: Bug report: Memory overflow in ifdns

danielchen — Mon, 28 Apr 2014 07:31:13 GMT

The DNS system has been re-written for MQX 4.2, Next MQX release won't have that source files at all. Thank you