[network] Avoid out ouf bounds read in __libc_res_nquerydomain

author Jeff Law <law@redhat.com>

Wed, 29 Feb 2012 16:51:27 +0000 (11:51 -0500)

committer Carlos O'Donell <carlos@codesourcery.com>

Wed, 29 Feb 2012 16:51:27 +0000 (11:51 -0500)
author Jeff Law <law@redhat.com>
Wed, 29 Feb 2012 16:51:27 +0000 (11:51 -0500)
committer Carlos O'Donell <carlos@codesourcery.com>
Wed, 29 Feb 2012 16:51:27 +0000 (11:51 -0500)
diff --git a/ChangeLog b/ChangeLog

index 069bbc3..5501ffb 100644 (file)
--- a/ChangeLog
+++ b/ChangeLog
@@ -1,3 +1,8 @@
+2012-02-29  Jeff Law  <law@redhat.com>
+
+       * resolv/res_query.c (__libc_res_nquerydomain): Avoid
+       out of bounds read.
+
  2012-02-29  Marek Polacek  <polacek@redhat.com>
  
         [BZ #13706]
diff --git a/resolv/res_query.c b/resolv/res_query.c

index 947c651..abccd4a 100644 (file)
--- a/resolv/res_query.c
+++ b/resolv/res_query.c
@@ -556,12 +556,16 @@ __libc_res_nquerydomain(res_state statp,
                  * copy without '.' if present.
                  */
                 n = strlen(name);
-               if (n >= MAXDNAME) {
+
+               /* Decrement N prior to checking it against MAXDNAME
+                  so that we detect a wrap to SIZE_MAX and return
+                  a reasonable error.  */
+               n--;
+               if (n >= MAXDNAME - 1) {
                         RES_SET_H_ERRNO(statp, NO_RECOVERY);
                         return (-1);
                 }
-               n--;
-               if (n >= 0 && name[n] == '.') {
+               if (name[n] == '.') {
                         strncpy(nbuf, name, n);
                         nbuf[n] = '\0';
                 } else
author	Jeff Law <law@redhat.com>
	Wed, 29 Feb 2012 16:51:27 +0000 (11:51 -0500)
committer	Carlos O'Donell <carlos@codesourcery.com>
	Wed, 29 Feb 2012 16:51:27 +0000 (11:51 -0500)
ChangeLog		patch \| blob \| history
resolv/res_query.c		patch \| blob \| history