There is a swapped parameter in parse_ask_file:
- In
parse_ask_file, posix_memalign((void**)&req, sizeof(void*), alignof(struct request)) allocates alignof(struct request) bytes instead of sizeof(struct request) bytes. This allocates only 8 bytes on 64-bit systems instead of the required structure size, causing heap-based buffer overflows on member accesses.
- The allocated structure
req is never zeroed or initialized. Its members contain garbage memory, leading to use of uninitialized values.
- If
req->message is uninitialized or evaluated as false, free(req->socket_path) is called on an uninitialized pointer, causing an arbitrary free vulnerability.
There is a swapped parameter in
parse_ask_file:parse_ask_file,posix_memalign((void**)&req, sizeof(void*), alignof(struct request))allocatesalignof(struct request)bytes instead ofsizeof(struct request)bytes. This allocates only 8 bytes on 64-bit systems instead of the required structure size, causing heap-based buffer overflows on member accesses.reqis never zeroed or initialized. Its members contain garbage memory, leading to use of uninitialized values.req->messageis uninitialized or evaluated as false,free(req->socket_path)is called on an uninitialized pointer, causing an arbitrary free vulnerability.