gsocks4aproxy: Fix a single byte buffer overflow in connect messages

`SOCKS4_CONN_MSG_LEN` failed to account for the length of the final nul
byte in the connect message, which is an addition in SOCKSv4a vs
SOCKSv4.

This means that the buffer for building and transmitting the connect
message could be overflowed if the username and hostname are both
`SOCKS4_MAX_LEN` (255) bytes long.

Proxy configurations are normally statically configured, so the username
is very unlikely to be near its maximum length, and hence this overflow
is unlikely to be triggered in practice.

(Commit message by Philip Withnall, diagnosis and fix by Michael
Catanzaro.)

Fixes: #3461
This commit is contained in:
Michael Catanzaro 2024-09-19 18:35:53 +01:00 committed by Philip Withnall
parent 1adc303f47
commit 25833cefda

View File

@ -79,9 +79,9 @@ g_socks4a_proxy_init (GSocks4aProxy *proxy)
* +----+----+----+----+----+----+----+----+----+----+....+----+------+....+------+
* | VN | CD | DSTPORT | DSTIP | USERID |NULL| HOST | | NULL |
* +----+----+----+----+----+----+----+----+----+----+....+----+------+....+------+
* 1 1 2 4 variable 1 variable
* 1 1 2 4 variable 1 variable 1
*/
#define SOCKS4_CONN_MSG_LEN (9 + SOCKS4_MAX_LEN * 2)
#define SOCKS4_CONN_MSG_LEN (10 + SOCKS4_MAX_LEN * 2)
static gint
set_connect_msg (guint8 *msg,
const gchar *hostname,