diff options
Diffstat (limited to 'resolv/gethnamaddr.c')
-rw-r--r-- | resolv/gethnamaddr.c | 44 |
1 files changed, 41 insertions, 3 deletions
diff --git a/resolv/gethnamaddr.c b/resolv/gethnamaddr.c index 4c8180f..3272dbd 100644 --- a/resolv/gethnamaddr.c +++ b/resolv/gethnamaddr.c @@ -160,6 +160,24 @@ dprintf(msg, num) # define dprintf(msg, num) /*nada*/ #endif +#define BOUNDED_INCR(x) \ + do { \ + cp += x; \ + if (cp > eom) { \ + __set_h_errno (NO_RECOVERY); \ + return (NULL); \ + } \ + } while (0) + +#define BOUNDS_CHECK(ptr, count) \ + do { \ + if ((ptr) + (count) > eom) { \ + __set_h_errno (NO_RECOVERY); \ + return (NULL); \ + } \ + } while (0) + + static struct hostent * getanswer(answer, anslen, qname, qtype) const querybuf *answer; @@ -170,7 +188,7 @@ getanswer(answer, anslen, qname, qtype) register const HEADER *hp; register const u_char *cp; register int n; - const u_char *eom; + const u_char *eom, *erdata; char *bp, **ap, **hap; int type, class, buflen, ancount, qdcount; int haveanswer, had_error; @@ -201,7 +219,8 @@ getanswer(answer, anslen, qname, qtype) qdcount = ntohs(hp->qdcount); bp = hostbuf; buflen = sizeof hostbuf; - cp = answer->buf + HFIXEDSZ; + cp = answer->buf; + BOUNDED_INCR(HFIXEDSZ); if (qdcount != 1) { __set_h_errno (NO_RECOVERY); return (NULL); @@ -211,7 +230,7 @@ getanswer(answer, anslen, qname, qtype) __set_h_errno (NO_RECOVERY); return (NULL); } - cp += n + QFIXEDSZ; + BOUNDED_INCR(n + QFIXEDSZ); if (qtype == T_A || qtype == T_AAAA) { /* res_send() has already verified that the query name is the * same as the one we sent; this just gets the expanded name @@ -243,12 +262,15 @@ getanswer(answer, anslen, qname, qtype) continue; } cp += n; /* name */ + BOUNDS_CHECK(cp, 3 * INT16SZ + INT32SZ); type = _getshort(cp); cp += INT16SZ; /* type */ class = _getshort(cp); cp += INT16SZ + INT32SZ; /* class, TTL */ n = _getshort(cp); cp += INT16SZ; /* len */ + BOUNDS_CHECK(cp, n); + erdata = cp + n; if (class != C_IN) { /* XXX - debug? syslog? */ cp += n; @@ -263,6 +285,10 @@ getanswer(answer, anslen, qname, qtype) continue; } cp += n; + if (cp != erdata) { + __set_h_errno (NO_RECOVERY); + return (NULL); + } /* Store alias. */ *ap++ = bp; n = strlen(bp) + 1; /* for the \0 */ @@ -291,6 +317,10 @@ getanswer(answer, anslen, qname, qtype) continue; } cp += n; + if (cp != erdata) { + __set_h_errno (NO_RECOVERY); + return (NULL); + } /* Get canonical name. */ n = strlen(tbuf) + 1; /* for the \0 */ if (n > buflen || n >= MAXHOSTNAMELEN) { @@ -326,6 +356,10 @@ getanswer(answer, anslen, qname, qtype) } #if MULTI_PTRS_ARE_ALIASES cp += n; + if (cp != erdata) { + __set_h_errno (NO_RECOVERY); + return (NULL); + } if (!haveanswer) host.h_name = bp; else if (ap < &host_aliases[MAXALIASES-1]) @@ -397,6 +431,10 @@ getanswer(answer, anslen, qname, qtype) bp += n; buflen -= n; cp += n; + if (cp != erdata) { + __set_h_errno (NO_RECOVERY); + return (NULL); + } break; default: abort(); |