From 38dad4433295d583343b82aac87326d407fe2927 Mon Sep 17 00:00:00 2001 From: =?utf8?q?Zbigniew=20J=C4=99drzejewski-Szmek?= Date: Mon, 14 May 2018 16:59:20 +0200 Subject: [PATCH] sd-resolve: fix check for packet size The protocol is that a string is serialized with the nul byte at the end, and the terminator is included in length. We'd call strndup with offset 0, length len1-1, and then a second time with offset len1, length len2-1, so in the end the check was off by one. But let's require the terminating nul too, even if we don't access it. CID #1383035. --- src/libsystemd/sd-resolve/sd-resolve.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/src/libsystemd/sd-resolve/sd-resolve.c b/src/libsystemd/sd-resolve/sd-resolve.c index acd3146..ba0f155 100644 --- a/src/libsystemd/sd-resolve/sd-resolve.c +++ b/src/libsystemd/sd-resolve/sd-resolve.c @@ -802,7 +802,7 @@ static int handle_response(sd_resolve *resolve, const Packet *packet, size_t len if (ni_resp->hostlen > DNS_HOSTNAME_MAX || ni_resp->servlen > DNS_HOSTNAME_MAX || - sizeof(NameInfoResponse) + ni_resp->hostlen + ni_resp->servlen > length + 2) + sizeof(NameInfoResponse) + ni_resp->hostlen + ni_resp->servlen > length) ASSIGN_ERRNO(q, EAI_SYSTEM, EIO, 0); else { -- 2.7.4