A client sending a alfred_change_interface_v0 packet to the alfred server might have forgotten to 0-terminate the string. In this case, strstr in unix_sock_change_iface might read outside of the available buffer.

Signed-off-by: Sven Eckelmann sven@narfation.org --- unix_sock.c | 2 ++ 1 file changed, 2 insertions(+)

diff --git a/unix_sock.c b/unix_sock.c index bc39199..8c2b762 100644 --- a/unix_sock.c +++ b/unix_sock.c @@ -329,6 +329,8 @@ unix_sock_change_iface(struct globals *globals, if (len < (int)(sizeof(*change_iface) - sizeof(change_iface->header))) goto err;

+ change_iface->ifaces[sizeof(change_iface->ifaces) - 1] = '\0'; + if (globals->opmode == OPMODE_SECONDARY) { if (strstr(change_iface->ifaces, ",") != NULL) { ret = -EINVAL;