svn commit: r269668 - vendor/resolver/dist/lib/libc/nameser
Pedro F. Giffuni
pfg at FreeBSD.org
Thu Aug 7 16:40:24 UTC 2014
Author: pfg
Date: Thu Aug 7 16:40:24 2014
New Revision: 269668
URL: http://svnweb.freebsd.org/changeset/base/269668
Log:
Fix broken pointer overflow check ns_name_unpack()
Many compilers may optimize away the overflow check `msg + l < msg',
where `msg' is a pointer and `l' is an integer, because pointer
overflow is undefined behavior in C.
Use a safe precondition test `l >= eom - msg' instead.
Reference:
https://android-review.googlesource.com/#/c/50570/
Obtained from: NetBSD (CVS rev. 1.10)
MFC after: 3 weeks
Modified:
vendor/resolver/dist/lib/libc/nameser/ns_name.c
Modified: vendor/resolver/dist/lib/libc/nameser/ns_name.c
==============================================================================
--- vendor/resolver/dist/lib/libc/nameser/ns_name.c Thu Aug 7 15:56:55 2014 (r269667)
+++ vendor/resolver/dist/lib/libc/nameser/ns_name.c Thu Aug 7 16:40:24 2014 (r269668)
@@ -461,11 +461,12 @@ ns_name_unpack2(const u_char *msg, const
}
if (len < 0)
len = srcp - src + 1;
- srcp = msg + (((n & 0x3f) << 8) | (*srcp & 0xff));
- if (srcp < msg || srcp >= eom) { /*%< Out of range. */
+ l = ((n & 0x3f) << 8) | (*srcp & 0xff);
+ if (l >= eom - msg) { /*%< Out of range. */
errno = EMSGSIZE;
return (-1);
}
+ srcp = msg + l;
checked += 2;
/*
* Check for loops in the compressed name;
More information about the svn-src-all
mailing list