Source-Changes-HG archive
[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index][Old Index]
[src/trunk]: src/lib/libc/net sync with BIND 4.9.7. strict boundary checking.
details: https://anonhg.NetBSD.org/src/rev/31f2f855f77e
branches: trunk
changeset: 485339:31f2f855f77e
user: itojun <itojun%NetBSD.org@localhost>
date: Tue Apr 25 13:47:38 2000 +0000
description:
sync with BIND 4.9.7. strict boundary checking.
diffstat:
lib/libc/net/gethnamaddr.c | 47 +++++++++++++++++++++++++++++++++++++++++----
1 files changed, 42 insertions(+), 5 deletions(-)
diffs (130 lines):
diff -r ad8832228098 -r 31f2f855f77e lib/libc/net/gethnamaddr.c
--- a/lib/libc/net/gethnamaddr.c Tue Apr 25 13:46:10 2000 +0000
+++ b/lib/libc/net/gethnamaddr.c Tue Apr 25 13:47:38 2000 +0000
@@ -1,4 +1,4 @@
-/* $NetBSD: gethnamaddr.c,v 1.31 2000/04/02 21:31:54 christos Exp $ */
+/* $NetBSD: gethnamaddr.c,v 1.32 2000/04/25 13:47:38 itojun Exp $ */
/*
* ++Copyright++ 1985, 1988, 1993
@@ -61,7 +61,7 @@
static char sccsid[] = "@(#)gethostnamadr.c 8.1 (Berkeley) 6/4/93";
static char rcsid[] = "Id: gethnamaddr.c,v 8.21 1997/06/01 20:34:37 vixie Exp ";
#else
-__RCSID("$NetBSD: gethnamaddr.c,v 1.31 2000/04/02 21:31:54 christos Exp $");
+__RCSID("$NetBSD: gethnamaddr.c,v 1.32 2000/04/25 13:47:38 itojun Exp $");
#endif
#endif /* LIBC_SCCS and not lint */
@@ -209,6 +209,23 @@
# define dprintf(msg, num) /*nada*/
#endif
+#define BOUNDED_INCR(x) \
+ do { \
+ cp += x; \
+ if (cp > eom) { \
+ h_errno = NO_RECOVERY; \
+ return (NULL); \
+ } \
+ } while (0)
+
+#define BOUNDS_CHECK(ptr, count) \
+ do { \
+ if ((ptr) + (count) > eom) { \
+ h_errno = NO_RECOVERY; \
+ return (NULL); \
+ } \
+ } while (0)
+
static struct hostent *
getanswer(answer, anslen, qname, qtype)
const querybuf *answer;
@@ -219,7 +236,7 @@
const HEADER *hp;
const u_char *cp;
int n;
- const u_char *eom;
+ const u_char *eom, *erdata;
char *bp, **ap, **hap;
int type, class, buflen, ancount, qdcount;
int haveanswer, had_error;
@@ -253,7 +270,8 @@
qdcount = ntohs(hp->qdcount);
bp = hostbuf;
buflen = sizeof hostbuf;
- cp = answer->buf + HFIXEDSZ;
+ cp = answer->buf;
+ BOUNDED_INCR(HFIXEDSZ);
if (qdcount != 1) {
h_errno = NO_RECOVERY;
return (NULL);
@@ -263,7 +281,7 @@
h_errno = NO_RECOVERY;
return (NULL);
}
- cp += n + QFIXEDSZ;
+ BOUNDED_INCR(n + QFIXEDSZ);
if (qtype == T_A || qtype == T_AAAA) {
/* res_send() has already verified that the query name is the
* same as the one we sent; this just gets the expanded name
@@ -295,12 +313,15 @@
continue;
}
cp += n; /* name */
+ BOUNDS_CHECK(cp, 3 * INT16SZ + INT32SZ);
type = _getshort(cp);
cp += INT16SZ; /* type */
class = _getshort(cp);
cp += INT16SZ + INT32SZ; /* class, TTL */
n = _getshort(cp);
cp += INT16SZ; /* len */
+ BOUNDS_CHECK(cp, n);
+ erdata = cp + n;
if (class != C_IN) {
/* XXX - debug? syslog? */
cp += n;
@@ -315,6 +336,10 @@
continue;
}
cp += n;
+ if (cp != erdata) {
+ h_errno = NO_RECOVERY;
+ return (NULL);
+ }
/* Store alias. */
*ap++ = bp;
n = strlen(bp) + 1; /* for the \0 */
@@ -343,6 +368,10 @@
continue;
}
cp += n;
+ if (cp != erdata) {
+ h_errno = NO_RECOVERY;
+ return (NULL);
+ }
/* Get canonical name. */
n = strlen(tbuf) + 1; /* for the \0 */
if (n > buflen || n >= MAXHOSTNAMELEN) {
@@ -379,6 +408,10 @@
}
#if MULTI_PTRS_ARE_ALIASES
cp += n;
+ if (cp != erdata) {
+ h_errno = NO_RECOVERY;
+ return (NULL);
+ }
if (!haveanswer)
host.h_name = bp;
else if (ap < &host_aliases[MAXALIASES-1])
@@ -450,6 +483,10 @@
bp += n;
buflen -= n;
cp += n;
+ if (cp != erdata) {
+ h_errno = NO_RECOVERY;
+ return (NULL);
+ }
break;
default:
abort();
Home |
Main Index |
Thread Index |
Old Index