commit c3fc63fe8661d17272a5840b26a7e45cf21fb82a
parent bcfd41f6bd41056edf8885f31f4d45b14447c60f
Author: Frederic Cambus <fred@statdns.com>
Date: Thu, 2 Dec 2021 09:53:31 +0100
Fix a use-after-free (read) triggered by strcmp(3) calls.
The parse_request() function didn't zero out the parsed_request struct
between each call. Since the parsing loop was switched to using getline(3)
instead of a fixed size buffer to process log lines, it could reference
already freed memory in certain cases.
Thanks to Brian Carpenter (@geeknik) for finding and reporting the issue.
Diffstat:
1 file changed, 3 insertions(+), 1 deletion(-)
diff --git a/src/parse.c b/src/parse.c
@@ -4,7 +4,7 @@
* https://www.logswan.org
*
* Created: 2015-05-31
- * Last Updated: 2021-02-15
+ * Last Updated: 2021-12-02
*
* Logswan is released under the BSD 2-Clause license.
* See LICENSE file for details.
@@ -60,6 +60,8 @@ parse_request(struct request *parsed_request, char *request)
{
char *pch = strrchr(request, ' ');
+ memset(parsed_request, 0, sizeof(*parsed_request));
+
if (pch) {
parsed_request->protocol = pch + 1;
parsed_request->method = strtok(request, " ");
