Chris Solomon

Bug report: Memory overflow in ifdns

Discussion created by Chris Solomon on Apr 23, 2014
Latest reply on Apr 28, 2014 by Daniel Chen

Hi,

In MQX 4.0.1 (possibly later, haven't checked) there is an off by one error in rtcs/source/if/ifdns.c, in the function DNS_insert_slist_entry.

 

Original code snippit:

 

(starts at line 254)

      if (usr_slist_entry_ptr->NAME_PTR)

      {

         tmp_str = RTCS_mem_alloc_system( strlen(usr_slist_entry_ptr->NAME_PTR) );

         if (tmp_str == NULL)

            return RTCSERR_DNS_UNABLE_TO_ALLOCATE_MEMORY;

         strcpy(tmp_str, usr_slist_entry_ptr->NAME_PTR);

      }

 

The problem is strlen gives the length of the string NOT INCLUDING THE NULL TERMINATION, where as strcpy copies including the null termination.

 

My fix:

      if (usr_slist_entry_ptr->NAME_PTR)

      {

         tmp_str = RTCS_mem_alloc_system( strlen(usr_slist_entry_ptr->NAME_PTR) + 1 );

         if (tmp_str == NULL)

            return RTCSERR_DNS_UNABLE_TO_ALLOCATE_MEMORY;

         strcpy(tmp_str, usr_slist_entry_ptr->NAME_PTR);

      }

 

It's a simple fix, and for the most part it wont cause any problem, unless the string length happens to fit in the allocation block perfectly, then the first byte of the next blocks header will be zeroed, with unpredictable results.

Outcomes