udp: SECURITY: Pass correct size argument to recvfrom

Otherwise we risk overflowing the buffer.  This is a critical security
problem.

Signed-off-by: Ian Jackson <ijackson@chiark.greenend.org.uk>

diff --git a/udp.c b/udp.c
index 97b92a6017b81677b9c50f2be3db6ee282d1fde2..fa42ba43cfd0fb9672b8b2fcf5ba675320cd9594 100644 (file)
--- a/udp.c
+++ b/udp.c
@@ -104,8 +104,9 @@ static void udp_afterpoll(void *state, struct pollfd *fds, int nfds)
            BUF_ASSERT_FREE(st->rbuf);
            BUF_ALLOC(st->rbuf,"udp_afterpoll");
            buffer_init(st->rbuf,calculate_max_start_pad());
-           rv=recvfrom(st->fd, st->rbuf->start, st->rbuf->len, 0,
-                       (struct sockaddr *)&from, &fromlen);
+           rv=recvfrom(st->fd, st->rbuf->start,
+                       (st->rbuf->base + st->rbuf->len) - st->rbuf->start,
+                       0, (struct sockaddr *)&from, &fromlen);
            if (rv>0) {
                st->rbuf->size=rv;
                if (st->use_proxy) {