2002-11-14 Paul Eggert <eggert@twionsun.com>

* resolv/nss_dns/dns-network.c (getanswer_r): Check for buffer overflow when skipping the question part and when unpacking aliases.
2024-11-22 13:00:06 +00:00 · 2002-11-18 04:10:15 +00:00 · 2002-11-18 04:10:15 +00:00 · 9b57c1c1e4
commit 9b57c1c1e4
parent 502328b258
2 changed files with 24 additions and 7 deletions
--- a/6
+++ b/6
@ -1,3 +1,9 @@
+2002-11-14  Paul Eggert  <eggert@twionsun.com>
+
+        * resolv/nss_dns/dns-network.c (getanswer_r): Check for buffer
+        overflow when skipping the question part and when unpacking
+        aliases.
+
 2002-11-15  Roland McGrath  <roland@redhat.com>

 	* math/Makefile (libm-calls): Remove s_copysign, s_isinf, s_isnan,
--- a/resolv/nss_dns/dns-network.c
+++ b/resolv/nss_dns/dns-network.c
@ -283,7 +283,15 @@ getanswer_r (const querybuf *answer, int anslen, struct netent *result,

  /* Skip the question part.  */
  while (question_count-- > 0)
-    cp += __dn_skipname (cp, end_of_message) + QFIXEDSZ;
+    {
+      int n = __dn_skipname (cp, end_of_message);
+      if (n < 0 || end_of_message - (cp + n) < QFIXEDSZ)
+       {
+         __set_h_errno (NO_RECOVERY);
+         return NSS_STATUS_UNAVAIL;
+       }
+      cp += n + QFIXEDSZ;
+    }

  alias_pointer = result->n_aliases = &net_data->aliases[0];
  *alias_pointer = NULL;
@ -344,12 +352,15 @@ getanswer_r (const querybuf *answer, int anslen, struct netent *result,
 	      return NSS_STATUS_UNAVAIL;
 	    }
 	  cp += n;
-	  *alias_pointer++ = bp;
-	  n = strlen (bp) + 1;
-	  bp += n;
-	  linebuflen -= n;
-	  result->n_addrtype = class == C_IN ? AF_INET : AF_UNSPEC;
-	  ++have_answer;
+         if (alias_pointer + 2 < &net_data->aliases[MAX_NR_ALIASES])
+           {
+             *alias_pointer++ = bp;
+             n = strlen (bp) + 1;
+             bp += n;
+             linebuflen -= n;
+             result->n_addrtype = class == C_IN ? AF_INET : AF_UNSPEC;
+             ++have_answer;
+           }
 	}
    }