From: Yuxuan Shui yshui@codeweavers.com
In this call chain: GetBestInterface -> GetBestInterfaceEx -> GetBestRoute2, we cast a socketaddr_in * (16 bytes) is to SOCKETADDR_INET * (28 bytes) before passing it to GetBestRoute2, but GetBestRoute2 will access all of the 28 bytes, leading to out-of-bound access.
Found by ASan. --- dlls/iphlpapi/iphlpapi_main.c | 6 +++--- 1 file changed, 3 insertions(+), 3 deletions(-)
diff --git a/dlls/iphlpapi/iphlpapi_main.c b/dlls/iphlpapi/iphlpapi_main.c index 83c6e8b53b8..e5fa9a74cde 100644 --- a/dlls/iphlpapi/iphlpapi_main.c +++ b/dlls/iphlpapi/iphlpapi_main.c @@ -1369,10 +1369,10 @@ ULONG WINAPI DECLSPEC_HOTPATCH GetAdaptersAddresses( ULONG family, ULONG flags, */ DWORD WINAPI GetBestInterface(IPAddr dwDestAddr, PDWORD pdwBestIfIndex) { - struct sockaddr_in sa_in; + SOCKADDR_INET sa_in; memset(&sa_in, 0, sizeof(sa_in)); - sa_in.sin_family = AF_INET; - sa_in.sin_addr.S_un.S_addr = dwDestAddr; + sa_in.si_family = AF_INET; + sa_in.Ipv4.sin_addr.S_un.S_addr = dwDestAddr; return GetBestInterfaceEx((struct sockaddr *)&sa_in, pdwBestIfIndex); }