[Slirp] translate_dnssearch BUG
Michael T
michael.gr220 at gmail.com
Thu Jan 6 14:50:04 UTC 2022
Hello,
In this part of code in translate_dnssearch;
for (i = 0; i < num_domains; i++) { domains[i].labels =
outptr; domain_mklabels(domains + i, names[i]); outptr
+= domains[i].len; } if (outptr == result) {
g_free(domains); g_free(result); return -1; }
If we have 2 domains where the second one ends with "..", the string is not
null terminated thus it may cause memory corruption issues in later usage
of this heap allocated string.
I was not able to dive really deep into the issue since it was not in the
scope of my research.
Note that we need 2 domains so we can bypass the later check and not return.
Cheers,
fuzzerakos
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.freedesktop.org/archives/slirp/attachments/20220106/d5b2d242/attachment.htm>
More information about the Slirp
mailing list