Source-Changes-HG archive

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index][Old Index]

[src/netbsd-7]: src/lib/libc/nameser Pull up following revision(s) (requested...



details:   https://anonhg.NetBSD.org/src/rev/670e16849775
branches:  netbsd-7
changeset: 800671:670e16849775
user:      martin <martin%NetBSD.org@localhost>
date:      Fri Sep 06 13:50:03 2019 +0000

description:
Pull up following revision(s) (requested by maya in ticket #1706):

        lib/libc/nameser/ns_name.c: revision 1.12

Since we advance cp after the bounds check, we need to test for bounds
again before using it. Discovered via fuzzing, reported by enh at google, via:

    https://android-review.googlesource.com/c/platform/bionic/+/1093130

diffstat:

 lib/libc/nameser/ns_name.c |  8 ++++----
 1 files changed, 4 insertions(+), 4 deletions(-)

diffs (36 lines):

diff -r 75a3263adfe2 -r 670e16849775 lib/libc/nameser/ns_name.c
--- a/lib/libc/nameser/ns_name.c        Tue Sep 03 12:21:49 2019 +0000
+++ b/lib/libc/nameser/ns_name.c        Fri Sep 06 13:50:03 2019 +0000
@@ -1,4 +1,4 @@
-/*     $NetBSD: ns_name.c,v 1.11 2014/03/07 01:07:01 christos Exp $    */
+/*     $NetBSD: ns_name.c,v 1.11.4.1 2019/09/06 13:50:03 martin Exp $  */
 
 /*
  * Copyright (c) 2004 by Internet Systems Consortium, Inc. ("ISC")
@@ -22,7 +22,7 @@
 #ifdef notdef
 static const char rcsid[] = "Id: ns_name.c,v 1.11 2009/01/23 19:59:16 each Exp";
 #else
-__RCSID("$NetBSD: ns_name.c,v 1.11 2014/03/07 01:07:01 christos Exp $");
+__RCSID("$NetBSD: ns_name.c,v 1.11.4.1 2019/09/06 13:50:03 martin Exp $");
 #endif
 #endif
 
@@ -696,7 +696,7 @@
 {
        const u_char *cp;
        u_int n;
-       int l;
+       int l = 0;
 
        cp = *ptrptr;
        while (cp < eom && (n = *cp++) != 0) {
@@ -706,7 +706,7 @@
                        cp += n;
                        continue;
                case NS_TYPE_ELT: /*%< EDNS0 extended label */
-                       if ((l = labellen(cp - 1)) < 0) {
+                       if (cp < eom && (l = labellen(cp - 1)) < 0) {
                                errno = EMSGSIZE; /*%< XXX */
                                return (-1);
                        }



Home | Main Index | Thread Index | Old Index