From 9a820706c8b8ac7ada70cff73dd9727d0a28b734 Mon Sep 17 00:00:00 2001 From: Miles Barr Date: Fri, 14 Jul 2017 19:09:36 -0700 Subject: [PATCH] Stop out of bounds memory read The code sometimes copies an IPv4 address with the size of an IPv6 address. --- Source/RakNetSocket2_Berkley.cpp | 10 ++++++++-- 1 file changed, 8 insertions(+), 2 deletions(-) diff --git a/Source/RakNetSocket2_Berkley.cpp b/Source/RakNetSocket2_Berkley.cpp index 852e65c36..134c23a24 100644 --- a/Source/RakNetSocket2_Berkley.cpp +++ b/Source/RakNetSocket2_Berkley.cpp @@ -322,8 +322,14 @@ RNS2BindResult RNS2_Berkley::BindSharedIPV4And6( RNS2_BerkleyBindParameters *bin ret = bind__(rns2Socket, aip->ai_addr, (int) aip->ai_addrlen ); if (ret>=0) { - // Is this valid? - memcpy(&boundAddress.address.addr6, aip->ai_addr, sizeof(boundAddress.address.addr6)); + if (aip->ai_family == AF_INET) + { + memcpy(&boundAddress.address.addr4, aip->ai_addr, sizeof(sockaddr_in)); + } + else + { + memcpy(&boundAddress.address.addr6, aip->ai_addr, sizeof(sockaddr_in6)); + } freeaddrinfo(servinfo); // free the linked-list