From: Remi Gacogne Date: Mon, 27 Apr 2020 14:48:16 +0000 (+0200) Subject: Don't read potentially uninitalized memory if gethostname() failed X-Git-Tag: rec-4.3.1^2 X-Git-Url: http://git.ipfire.org/cgi-bin/gitweb.cgi?a=commitdiff_plain;h=refs%2Fpull%2F9115%2Fhead;p=thirdparty%2Fpdns.git Don't read potentially uninitalized memory if gethostname() failed If the buffer is smaller than `HOST_NAME_MAX` (64 on Linux but up to 255 bytes in POSIX, which FreeBSD, MacOS etc honor) gethostname() might return -1 without null-terminating the buffer, causing an out-of-bounds read. As we look for the first '.' using `strchr()`, replacing it with a null byte, we also have a one-byte out-of-bounds write which might result in a crash or, albeit very unlikely, arbitrary code execution. (cherry picked from commit aac6348d56f6f3fdba9dd2455ef06081da507c14) --- diff --git a/pdns/rec-carbon.cc b/pdns/rec-carbon.cc index 218ee83716..4e0cedb00f 100644 --- a/pdns/rec-carbon.cc +++ b/pdns/rec-carbon.cc @@ -33,9 +33,11 @@ try namespace_name="pdns"; } if(hostname.empty()) { - char tmp[80]; + char tmp[HOST_NAME_MAX+1]; memset(tmp, 0, sizeof(tmp)); - gethostname(tmp, sizeof(tmp)); + if (gethostname(tmp, sizeof(tmp)) != 0) { + throw std::runtime_error("The 'carbon-ourname' setting has not been set and we are unable to determine the system's hostname: " + stringerror()); + } char *p = strchr(tmp, '.'); if(p) *p=0;