Source-Changes-HG archive
[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index][Old Index]
[src/netbsd-1-4]: src/lib/libc/net Pull up revisions 1.45-1.46 (via patch, re...
details: https://anonhg.NetBSD.org/src/rev/9f070682aa8d
branches: netbsd-1-4
changeset: 471332:9f070682aa8d
user: he <he%NetBSD.org@localhost>
date: Wed Jun 26 21:54:27 2002 +0000
description:
Pull up revisions 1.45-1.46 (via patch, requested by he):
Fix remote buffer overrun on hostbuf[]. Also fix up logic of
buffer handling.
diffstat:
lib/libc/net/gethnamaddr.c | 57 ++++++++++++++++++---------------------------
1 files changed, 23 insertions(+), 34 deletions(-)
diffs (246 lines):
diff -r 7fc263c652ac -r 9f070682aa8d lib/libc/net/gethnamaddr.c
--- a/lib/libc/net/gethnamaddr.c Thu Mar 07 21:16:24 2002 +0000
+++ b/lib/libc/net/gethnamaddr.c Wed Jun 26 21:54:27 2002 +0000
@@ -1,4 +1,4 @@
-/* $NetBSD: gethnamaddr.c,v 1.14.2.2 2000/08/04 15:21:27 he Exp $ */
+/* $NetBSD: gethnamaddr.c,v 1.14.2.3 2002/06/26 21:54:27 he Exp $ */
/*
* ++Copyright++ 1985, 1988, 1993
@@ -61,7 +61,7 @@
static char sccsid[] = "@(#)gethostnamadr.c 8.1 (Berkeley) 6/4/93";
static char rcsid[] = "Id: gethnamaddr.c,v 8.21 1997/06/01 20:34:37 vixie Exp ";
#else
-__RCSID("$NetBSD: gethnamaddr.c,v 1.14.2.2 2000/08/04 15:21:27 he Exp $");
+__RCSID("$NetBSD: gethnamaddr.c,v 1.14.2.3 2002/06/26 21:54:27 he Exp $");
#endif
#endif /* LIBC_SCCS and not lint */
@@ -147,7 +147,7 @@
static struct hostent *getanswer __P((const querybuf *, int,
const char *, int));
static void map_v4v6_address __P((const char *, char *));
-static void map_v4v6_hostent __P((struct hostent *, char **, int *));
+static void map_v4v6_hostent __P((struct hostent *, char **, char *));
#ifdef RESOLVSORT
static void addrsort __P((char **, int));
#endif
@@ -211,8 +211,8 @@
register const u_char *cp;
register int n;
const u_char *eom;
- char *bp, **ap, **hap;
- int type, class, buflen, ancount, qdcount;
+ char *bp, **ap, **hap, *ep;
+ int type, class, ancount, qdcount;
int haveanswer, had_error;
int toobig = 0;
char tbuf[MAXDNAME];
@@ -240,13 +240,13 @@
ancount = ntohs(hp->ancount);
qdcount = ntohs(hp->qdcount);
bp = hostbuf;
- buflen = sizeof hostbuf;
+ ep = hostbuf + sizeof hostbuf;
cp = answer->buf + HFIXEDSZ;
if (qdcount != 1) {
h_errno = NO_RECOVERY;
return (NULL);
}
- n = dn_expand(answer->buf, eom, cp, bp, buflen);
+ n = dn_expand(answer->buf, eom, cp, bp, ep - bp);
if ((n < 0) || !(*name_ok)(bp)) {
h_errno = NO_RECOVERY;
return (NULL);
@@ -264,7 +264,6 @@
}
host.h_name = bp;
bp += n;
- buflen -= n;
/* The qname can be abbreviated, but h_name is now absolute. */
qname = host.h_name;
}
@@ -277,7 +276,7 @@
haveanswer = 0;
had_error = 0;
while (ancount-- > 0 && cp < eom && !had_error) {
- n = dn_expand(answer->buf, eom, cp, bp, buflen);
+ n = dn_expand(answer->buf, eom, cp, bp, ep - bp);
if ((n < 0) || !(*name_ok)(bp)) {
had_error++;
continue;
@@ -311,17 +310,15 @@
continue;
}
bp += n;
- buflen -= n;
/* Get canonical name. */
n = strlen(tbuf) + 1; /* for the \0 */
- if (n > buflen || n >= MAXHOSTNAMELEN) {
+ if (n > ep - bp || n >= MAXHOSTNAMELEN) {
had_error++;
continue;
}
strcpy(bp, tbuf);
host.h_name = bp;
bp += n;
- buflen -= n;
continue;
}
if (qtype == T_PTR && type == T_CNAME) {
@@ -333,14 +330,13 @@
cp += n;
/* Get canonical name. */
n = strlen(tbuf) + 1; /* for the \0 */
- if (n > buflen || n >= MAXHOSTNAMELEN) {
+ if (n > ep - bp || n >= MAXHOSTNAMELEN) {
had_error++;
continue;
}
strcpy(bp, tbuf);
tname = bp;
bp += n;
- buflen -= n;
continue;
}
if (type != qtype) {
@@ -360,7 +356,7 @@
cp += n;
continue; /* XXX - had_error++ ? */
}
- n = dn_expand(answer->buf, eom, cp, bp, buflen);
+ n = dn_expand(answer->buf, eom, cp, bp, ep - bp);
if ((n < 0) || !res_hnok(bp)) {
had_error++;
break;
@@ -380,7 +376,6 @@
break;
}
bp += n;
- buflen -= n;
}
break;
#else
@@ -392,8 +387,7 @@
break;
}
bp += n;
- buflen -= n;
- map_v4v6_hostent(&host, &bp, &buflen);
+ map_v4v6_hostent(&host, &bp, ep);
}
h_errno = NETDB_SUCCESS;
return (&host);
@@ -416,7 +410,6 @@
host.h_name = bp;
nn = strlen(bp) + 1; /* for the \0 */
bp += nn;
- buflen -= nn;
}
bp += sizeof(align) -
@@ -436,7 +429,6 @@
}
(void)memcpy(*hap++ = bp, cp, (size_t)n);
bp += n;
- buflen -= n;
cp += n;
break;
default:
@@ -459,15 +451,14 @@
# endif /*RESOLVSORT*/
if (!host.h_name) {
n = strlen(qname) + 1; /* for the \0 */
- if (n > buflen || n >= MAXHOSTNAMELEN)
+ if (n > ep - bp || n >= MAXHOSTNAMELEN)
goto no_recovery;
strcpy(bp, qname);
host.h_name = bp;
bp += n;
- buflen -= n;
}
if (_res.options & RES_USE_INET6)
- map_v4v6_hostent(&host, &bp, &buflen);
+ map_v4v6_hostent(&host, &bp, ep);
h_errno = NETDB_SUCCESS;
return (&host);
}
@@ -500,8 +491,8 @@
int af;
{
const char *cp;
- char *bp;
- int size, len;
+ char *bp, *ep;
+ int size;
struct hostent *hp;
static const ns_dtab dtab[] = {
NS_FILES_CB(_gethtbyname, NULL)
@@ -555,7 +546,7 @@
strncpy(hostbuf, name, MAXDNAME);
hostbuf[MAXDNAME] = '\0';
bp = hostbuf + MAXDNAME;
- len = sizeof hostbuf - MAXDNAME;
+ ep = hostbuf + sizeof hostbuf;
host.h_name = hostbuf;
host.h_aliases = host_aliases;
host_aliases[0] = NULL;
@@ -563,7 +554,7 @@
h_addr_ptrs[1] = NULL;
host.h_addr_list = h_addr_ptrs;
if (_res.options & RES_USE_INET6)
- map_v4v6_hostent(&host, &bp, &len);
+ map_v4v6_hostent(&host, &bp, ep);
h_errno = NETDB_SUCCESS;
return (&host);
}
@@ -588,7 +579,7 @@
strncpy(hostbuf, name, MAXDNAME);
hostbuf[MAXDNAME] = '\0';
bp = hostbuf + MAXDNAME;
- len = sizeof hostbuf - MAXDNAME;
+ ep = hostbuf + sizeof hostbuf;
host.h_name = hostbuf;
host.h_aliases = host_aliases;
host_aliases[0] = NULL;
@@ -605,7 +596,7 @@
hp = (struct hostent *)NULL;
h_errno = NETDB_INTERNAL;
if (nsdispatch(&hp, dtab, NSDB_HOSTS, "gethostbyname",
- default_dns_files, name, len, af) != NS_SUCCESS)
+ default_dns_files, name, strlen(name), af) != NS_SUCCESS)
return (struct hostent *)NULL;
h_errno = NETDB_SUCCESS;
return (hp);
@@ -854,10 +845,10 @@
}
static void
-map_v4v6_hostent(hp, bpp, lenp)
+map_v4v6_hostent(hp, bpp, ep)
struct hostent *hp;
char **bpp;
- int *lenp;
+ char *ep;
{
char **ap;
@@ -868,17 +859,15 @@
for (ap = hp->h_addr_list; *ap; ap++) {
int i = sizeof(align) - (size_t)((u_long)*bpp % sizeof(align));
- if (*lenp < (i + IN6ADDRSZ)) {
+ if (ep - *bpp < (i + IN6ADDRSZ)) {
/* Out of memory. Truncate address list here. XXX */
*ap = NULL;
return;
}
*bpp += i;
- *lenp -= i;
map_v4v6_address(*ap, *bpp);
*ap = *bpp;
*bpp += IN6ADDRSZ;
- *lenp -= IN6ADDRSZ;
}
}
Home |
Main Index |
Thread Index |
Old Index