projects / external / glibc.git / commitdiff
? search:
summary | shortlog | log | commit | commitdiff | tree
raw | patch | inline | side by side (parent: 502328b)
2002-11-14 Paul Eggert <eggert@twionsun.com>
authorRoland McGrath <roland@gnu.org>
Mon, 18 Nov 2002 04:10:15 +0000 (04:10 +0000)
committerRoland McGrath <roland@gnu.org>
Mon, 18 Nov 2002 04:10:15 +0000 (04:10 +0000)
        * resolv/nss_dns/dns-network.c (getanswer_r): Check for buffer
        overflow when skipping the question part and when unpacking
        aliases.

ChangeLog patch | blob | history
resolv/nss_dns/dns-network.c patch | blob | history

diff --git a/ChangeLog b/ChangeLog
index 07eac3b..0bfa197 100644 (file)
--- a/ChangeLog
+++ b/ChangeLog
@@ -1,3 +1,9 @@
+2002-11-14  Paul Eggert  <eggert@twionsun.com>
+
+        * resolv/nss_dns/dns-network.c (getanswer_r): Check for buffer
+        overflow when skipping the question part and when unpacking
+        aliases.
+
 2002-11-15  Roland McGrath  <roland@redhat.com>
 
        * math/Makefile (libm-calls): Remove s_copysign, s_isinf, s_isnan,
diff --git a/resolv/nss_dns/dns-network.c b/resolv/nss_dns/dns-network.c
index 5956c84..fdab996 100644 (file)
--- a/resolv/nss_dns/dns-network.c
+++ b/resolv/nss_dns/dns-network.c
@@ -283,7 +283,15 @@ getanswer_r (const querybuf *answer, int anslen, struct netent *result,
 
   /* Skip the question part.  */
   while (question_count-- > 0)
-    cp += __dn_skipname (cp, end_of_message) + QFIXEDSZ;
+    {
+      int n = __dn_skipname (cp, end_of_message);
+      if (n < 0 || end_of_message - (cp + n) < QFIXEDSZ)
+       {
+         __set_h_errno (NO_RECOVERY);
+         return NSS_STATUS_UNAVAIL;
+       }
+      cp += n + QFIXEDSZ;
+    }
 
   alias_pointer = result->n_aliases = &net_data->aliases[0];
   *alias_pointer = NULL;
@@ -344,12 +352,15 @@ getanswer_r (const querybuf *answer, int anslen, struct netent *result,
              return NSS_STATUS_UNAVAIL;
            }
          cp += n;
-         *alias_pointer++ = bp;
-         n = strlen (bp) + 1;
-         bp += n;
-         linebuflen -= n;
-         result->n_addrtype = class == C_IN ? AF_INET : AF_UNSPEC;
-         ++have_answer;
+         if (alias_pointer + 2 < &net_data->aliases[MAX_NR_ALIASES])
+           {
+             *alias_pointer++ = bp;
+             n = strlen (bp) + 1;
+             bp += n;
+             linebuflen -= n;
+             result->n_addrtype = class == C_IN ? AF_INET : AF_UNSPEC;
+             ++have_answer;
+           }
        }
     }
 
Domain: System / Toolchain;