daemon/network: fix heap-buffer-overflow in endpoint key generation

Reproducible by listening on an interface by name, ASAN reports a
heap-buffer-overflow. This was a regression caused by !1286, which did
not account for null-terminators properly.

diff --git a/daemon/network.c b/daemon/network.c
index 66809dfffc4b5b2387c60411074da5b6084f04b4..1a54a4f85dc045f9ac50c91969267e7cdc4f1c5c 100644 (file)
--- a/daemon/network.c
+++ b/daemon/network.c
@@ -302,6 +302,8 @@ void network_deinit(struct network *net)
        }
 }
 
+/** Creates an endpoint key for use with a `trie_t` and stores it into `dst`.
+ * Returns the actual length of the generated key. */
 static ssize_t endpoint_key_create(struct endpoint_key_storage *dst,
                                    const char *addr_str,
                                    const struct sockaddr *sa)
@@ -317,8 +319,11 @@ static ssize_t endpoint_key_create(struct endpoint_key_storage *dst,
        } else {
                struct endpoint_key_ifname *key = &dst->ifname;
                key->type = ENDPOINT_KEY_IFNAME;
+
+               /* The subtractions and additions of 1 are here to account for
+                * null-terminators. */
                strncpy(key->ifname, addr_str, sizeof(key->ifname) - 1);
-               return sizeof(struct endpoint_key) + strnlen(key->ifname, sizeof(key->ifname));
+               return sizeof(struct endpoint_key) + strlen(key->ifname) + 1;
        }
 }