diff options
author | Pedro F. Giffuni <pfg@FreeBSD.org> | 2014-08-07 16:40:24 +0000 |
---|---|---|
committer | Pedro F. Giffuni <pfg@FreeBSD.org> | 2014-08-07 16:40:24 +0000 |
commit | a46361116af06c0369b705e68af0e201b7719dc2 (patch) | |
tree | ca273274b8e2369e99086d7ed4fe15c75804a826 /lib/libc/nameser | |
parent | 046c3635cdb274a1f6ccec9933899f5b3bc043a2 (diff) | |
download | src-a46361116af06c0369b705e68af0e201b7719dc2.tar.gz src-a46361116af06c0369b705e68af0e201b7719dc2.zip |
Fix broken pointer overflow check ns_name_unpack()
Many compilers may optimize away the overflow check `msg + l < msg',
where `msg' is a pointer and `l' is an integer, because pointer
overflow is undefined behavior in C.
Use a safe precondition test `l >= eom - msg' instead.
Reference:
https://android-review.googlesource.com/#/c/50570/
Obtained from: NetBSD (CVS rev. 1.10)
MFC after: 3 weeks
Notes
Notes:
svn path=/vendor/resolver/dist/; revision=269668
Diffstat (limited to 'lib/libc/nameser')
-rw-r--r-- | lib/libc/nameser/ns_name.c | 5 |
1 files changed, 3 insertions, 2 deletions
diff --git a/lib/libc/nameser/ns_name.c b/lib/libc/nameser/ns_name.c index 0c1f93c06629..cbd8f6a886ca 100644 --- a/lib/libc/nameser/ns_name.c +++ b/lib/libc/nameser/ns_name.c @@ -461,11 +461,12 @@ ns_name_unpack2(const u_char *msg, const u_char *eom, const u_char *src, } if (len < 0) len = srcp - src + 1; - srcp = msg + (((n & 0x3f) << 8) | (*srcp & 0xff)); - if (srcp < msg || srcp >= eom) { /*%< Out of range. */ + l = ((n & 0x3f) << 8) | (*srcp & 0xff); + if (l >= eom - msg) { /*%< Out of range. */ errno = EMSGSIZE; return (-1); } + srcp = msg + l; checked += 2; /* * Check for loops in the compressed name; |