Source-Changes-HG archive
[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index][Old Index]
[src/netbsd-7-1]: src/lib/libc/nameser Pull up following revision(s) (request...
details: https://anonhg.NetBSD.org/src/rev/f279a8ee6f94
branches: netbsd-7-1
changeset: 454133:f279a8ee6f94
user: martin <martin%NetBSD.org@localhost>
date: Fri Sep 06 13:51:20 2019 +0000
description:
Pull up following revision(s) (requested by maya in ticket #1706):
lib/libc/nameser/ns_name.c: revision 1.12
Since we advance cp after the bounds check, we need to test for bounds
again before using it. Discovered via fuzzing, reported by enh at google, via:
https://android-review.googlesource.com/c/platform/bionic/+/1093130
diffstat:
lib/libc/nameser/ns_name.c | 8 ++++----
1 files changed, 4 insertions(+), 4 deletions(-)
diffs (36 lines):
diff -r bd6c5254ce2d -r f279a8ee6f94 lib/libc/nameser/ns_name.c
--- a/lib/libc/nameser/ns_name.c Tue Sep 03 12:29:08 2019 +0000
+++ b/lib/libc/nameser/ns_name.c Fri Sep 06 13:51:20 2019 +0000
@@ -1,4 +1,4 @@
-/* $NetBSD: ns_name.c,v 1.11 2014/03/07 01:07:01 christos Exp $ */
+/* $NetBSD: ns_name.c,v 1.11.14.1 2019/09/06 13:51:20 martin Exp $ */
/*
* Copyright (c) 2004 by Internet Systems Consortium, Inc. ("ISC")
@@ -22,7 +22,7 @@
#ifdef notdef
static const char rcsid[] = "Id: ns_name.c,v 1.11 2009/01/23 19:59:16 each Exp";
#else
-__RCSID("$NetBSD: ns_name.c,v 1.11 2014/03/07 01:07:01 christos Exp $");
+__RCSID("$NetBSD: ns_name.c,v 1.11.14.1 2019/09/06 13:51:20 martin Exp $");
#endif
#endif
@@ -696,7 +696,7 @@
{
const u_char *cp;
u_int n;
- int l;
+ int l = 0;
cp = *ptrptr;
while (cp < eom && (n = *cp++) != 0) {
@@ -706,7 +706,7 @@
cp += n;
continue;
case NS_TYPE_ELT: /*%< EDNS0 extended label */
- if ((l = labellen(cp - 1)) < 0) {
+ if (cp < eom && (l = labellen(cp - 1)) < 0) {
errno = EMSGSIZE; /*%< XXX */
return (-1);
}
Home |
Main Index |
Thread Index |
Old Index