aboutsummaryrefslogtreecommitdiff
path: root/resolv
diff options
context:
space:
mode:
Diffstat (limited to 'resolv')
-rw-r--r--resolv/gethnamaddr.c44
-rw-r--r--resolv/res_comp.c924
-rw-r--r--resolv/res_send.c42
3 files changed, 763 insertions, 247 deletions
diff --git a/resolv/gethnamaddr.c b/resolv/gethnamaddr.c
index 4c8180f..3272dbd 100644
--- a/resolv/gethnamaddr.c
+++ b/resolv/gethnamaddr.c
@@ -160,6 +160,24 @@ dprintf(msg, num)
# define dprintf(msg, num) /*nada*/
#endif
+#define BOUNDED_INCR(x) \
+ do { \
+ cp += x; \
+ if (cp > eom) { \
+ __set_h_errno (NO_RECOVERY); \
+ return (NULL); \
+ } \
+ } while (0)
+
+#define BOUNDS_CHECK(ptr, count) \
+ do { \
+ if ((ptr) + (count) > eom) { \
+ __set_h_errno (NO_RECOVERY); \
+ return (NULL); \
+ } \
+ } while (0)
+
+
static struct hostent *
getanswer(answer, anslen, qname, qtype)
const querybuf *answer;
@@ -170,7 +188,7 @@ getanswer(answer, anslen, qname, qtype)
register const HEADER *hp;
register const u_char *cp;
register int n;
- const u_char *eom;
+ const u_char *eom, *erdata;
char *bp, **ap, **hap;
int type, class, buflen, ancount, qdcount;
int haveanswer, had_error;
@@ -201,7 +219,8 @@ getanswer(answer, anslen, qname, qtype)
qdcount = ntohs(hp->qdcount);
bp = hostbuf;
buflen = sizeof hostbuf;
- cp = answer->buf + HFIXEDSZ;
+ cp = answer->buf;
+ BOUNDED_INCR(HFIXEDSZ);
if (qdcount != 1) {
__set_h_errno (NO_RECOVERY);
return (NULL);
@@ -211,7 +230,7 @@ getanswer(answer, anslen, qname, qtype)
__set_h_errno (NO_RECOVERY);
return (NULL);
}
- cp += n + QFIXEDSZ;
+ BOUNDED_INCR(n + QFIXEDSZ);
if (qtype == T_A || qtype == T_AAAA) {
/* res_send() has already verified that the query name is the
* same as the one we sent; this just gets the expanded name
@@ -243,12 +262,15 @@ getanswer(answer, anslen, qname, qtype)
continue;
}
cp += n; /* name */
+ BOUNDS_CHECK(cp, 3 * INT16SZ + INT32SZ);
type = _getshort(cp);
cp += INT16SZ; /* type */
class = _getshort(cp);
cp += INT16SZ + INT32SZ; /* class, TTL */
n = _getshort(cp);
cp += INT16SZ; /* len */
+ BOUNDS_CHECK(cp, n);
+ erdata = cp + n;
if (class != C_IN) {
/* XXX - debug? syslog? */
cp += n;
@@ -263,6 +285,10 @@ getanswer(answer, anslen, qname, qtype)
continue;
}
cp += n;
+ if (cp != erdata) {
+ __set_h_errno (NO_RECOVERY);
+ return (NULL);
+ }
/* Store alias. */
*ap++ = bp;
n = strlen(bp) + 1; /* for the \0 */
@@ -291,6 +317,10 @@ getanswer(answer, anslen, qname, qtype)
continue;
}
cp += n;
+ if (cp != erdata) {
+ __set_h_errno (NO_RECOVERY);
+ return (NULL);
+ }
/* Get canonical name. */
n = strlen(tbuf) + 1; /* for the \0 */
if (n > buflen || n >= MAXHOSTNAMELEN) {
@@ -326,6 +356,10 @@ getanswer(answer, anslen, qname, qtype)
}
#if MULTI_PTRS_ARE_ALIASES
cp += n;
+ if (cp != erdata) {
+ __set_h_errno (NO_RECOVERY);
+ return (NULL);
+ }
if (!haveanswer)
host.h_name = bp;
else if (ap < &host_aliases[MAXALIASES-1])
@@ -397,6 +431,10 @@ getanswer(answer, anslen, qname, qtype)
bp += n;
buflen -= n;
cp += n;
+ if (cp != erdata) {
+ __set_h_errno (NO_RECOVERY);
+ return (NULL);
+ }
break;
default:
abort();
diff --git a/resolv/res_comp.c b/resolv/res_comp.c
index 94a6270..2661963 100644
--- a/resolv/res_comp.c
+++ b/resolv/res_comp.c
@@ -63,9 +63,10 @@ static char rcsid[] = "$Id$";
#include <netinet/in.h>
#include <arpa/nameser.h>
-#include <stdio.h>
-#include <resolv.h>
#include <ctype.h>
+#include <errno.h>
+#include <resolv.h>
+#include <stdio.h>
#if defined(BSD) && (BSD >= 199103)
# include <unistd.h>
@@ -74,8 +75,17 @@ static char rcsid[] = "$Id$";
# include "../conf/portability.h"
#endif
-static int dn_find __P((u_char *exp_dn, u_char *msg,
- u_char **dnptrs, u_char **lastdnptr));
+static int ns_name_ntop __P((const u_char *, char *, size_t));
+static int ns_name_pton __P((const char *, u_char *, size_t));
+static int ns_name_unpack __P((const u_char *, const u_char *,
+ const u_char *, u_char *, size_t));
+static int ns_name_pack __P((const u_char *, u_char *, int,
+ const u_char **, const u_char **));
+static int ns_name_uncompress __P((const u_char *, const u_char *,
+ const u_char *, char *, size_t));
+static int ns_name_compress __P((const char *, u_char *, size_t,
+ const u_char **, const u_char **));
+static int ns_name_skip __P((const u_char **, const u_char *));
/*
* Expand compressed domain name 'comp_dn' to full domain name.
@@ -85,261 +95,51 @@ static int dn_find __P((u_char *exp_dn, u_char *msg,
* Return size of compressed name or -1 if there was an error.
*/
int
-dn_expand(msg, eomorig, comp_dn, exp_dn, length)
- const u_char *msg, *eomorig, *comp_dn;
- char *exp_dn;
- int length;
+dn_expand(msg, eom, src, dst, dstsiz)
+ const u_char *msg;
+ const u_char *eom;
+ const u_char *src;
+ char *dst;
+ int dstsiz;
{
- register const u_char *cp;
- register char *dn;
- register int n, c;
- char *eom;
- int len = -1, checked = 0, octets = 0;
-
- dn = exp_dn;
- cp = comp_dn;
- eom = exp_dn + length;
- /*
- * fetch next label in domain name
- */
- while (n = *cp++) {
- /*
- * Check for indirection
- */
- switch (n & INDIR_MASK) {
- case 0:
- octets += (n + 1);
- if (octets > MAXCDNAME)
- return (-1);
- if (dn != exp_dn) {
- if (dn >= eom)
- return (-1);
- *dn++ = '.';
- }
- if (dn+n >= eom)
- return (-1);
- checked += n + 1;
- while (--n >= 0) {
- if (((c = *cp++) == '.') || (c == '\\')) {
- if (dn + n + 2 >= eom)
- return (-1);
- *dn++ = '\\';
- }
- *dn++ = c;
- if (cp >= eomorig) /* out of range */
- return (-1);
- }
- break;
+ int n = ns_name_uncompress(msg, eom, src, dst, (size_t)dstsiz);
- case INDIR_MASK:
- if (len < 0)
- len = cp - comp_dn + 1;
- cp = msg + (((n & 0x3f) << 8) | (*cp & 0xff));
- if (cp < msg || cp >= eomorig) /* out of range */
- return (-1);
- checked += 2;
- /*
- * Check for loops in the compressed name;
- * if we've looked at the whole message,
- * there must be a loop.
- */
- if (checked >= eomorig - msg)
- return (-1);
- break;
-
- default:
- return (-1); /* flag error */
- }
- }
- *dn = '\0';
- if (len < 0)
- len = cp - comp_dn;
- return (len);
+ if (n > 0 && dst[0] == '.')
+ dst[0] = '\0';
+ return (n);
}
/*
- * Compress domain name 'exp_dn' into 'comp_dn'.
+ * Pack domain name 'exp_dn' in presentation form into 'comp_dn'.
* Return the size of the compressed name or -1.
* 'length' is the size of the array pointed to by 'comp_dn'.
- * 'dnptrs' is a list of pointers to previous compressed names. dnptrs[0]
- * is a pointer to the beginning of the message. The list ends with NULL.
- * 'lastdnptr' is a pointer to the end of the array pointed to
- * by 'dnptrs'. Side effect is to update the list of pointers for
- * labels inserted into the message as we compress the name.
- * If 'dnptr' is NULL, we don't try to compress names. If 'lastdnptr'
- * is NULL, we don't update the list.
*/
int
-dn_comp(exp_dn, comp_dn, length, dnptrs, lastdnptr)
- const char *exp_dn;
- u_char *comp_dn, **dnptrs, **lastdnptr;
- int length;
+dn_comp(src, dst, dstsiz, dnptrs, lastdnptr)
+ const char *src;
+ u_char *dst;
+ int dstsiz;
+ u_char **dnptrs;
+ u_char **lastdnptr;
{
- register u_char *cp, *dn;
- register int c, l;
- u_char **cpp, **lpp, *sp, *eob;
- u_char *msg;
-
- dn = (u_char *)exp_dn;
- cp = comp_dn;
- if (length > MAXCDNAME)
- length = MAXCDNAME;
- eob = cp + length;
- lpp = cpp = NULL;
- if (dnptrs != NULL) {
- if ((msg = *dnptrs++) != NULL) {
- for (cpp = dnptrs; *cpp != NULL; cpp++)
- ;
- lpp = cpp; /* end of list to search */
- }
- } else
- msg = NULL;
- for (c = *dn++; c != '\0'; ) {
- /* look to see if we can use pointers */
- if (msg != NULL) {
- if ((l = dn_find(dn-1, msg, dnptrs, lpp)) >= 0) {
- if (cp+1 >= eob)
- return (-1);
- *cp++ = (l >> 8) | INDIR_MASK;
- *cp++ = l % 256;
- return (cp - comp_dn);
- }
- /* not found, save it */
- if (lastdnptr != NULL && cpp < lastdnptr-1) {
- *cpp++ = cp;
- *cpp = NULL;
- }
- }
- sp = cp++; /* save ptr to length byte */
- do {
- if (c == '.') {
- c = *dn++;
- break;
- }
- if (c == '\\') {
- if ((c = *dn++) == '\0')
- break;
- }
- if (cp >= eob) {
- if (msg != NULL)
- *lpp = NULL;
- return (-1);
- }
- *cp++ = c;
- } while ((c = *dn++) != '\0');
- /* catch trailing '.'s but not '..' */
- if ((l = cp - sp - 1) == 0 && c == '\0') {
- cp--;
- break;
- }
- if (l <= 0 || l > MAXLABEL) {
- if (msg != NULL)
- *lpp = NULL;
- return (-1);
- }
- *sp = l;
- }
- if (cp >= eob) {
- if (msg != NULL)
- *lpp = NULL;
- return (-1);
- }
- *cp++ = '\0';
- return (cp - comp_dn);
+ return (ns_name_compress(src, dst, (size_t)dstsiz,
+ (const u_char **)dnptrs,
+ (const u_char **)lastdnptr));
}
/*
* Skip over a compressed domain name. Return the size or -1.
*/
int
-__dn_skipname(comp_dn, eom)
- const u_char *comp_dn, *eom;
+__dn_skipname(ptr, eom)
+ const u_char *ptr;
+ const u_char *eom;
{
- register const u_char *cp;
- register int n;
-
- cp = comp_dn;
- while (cp < eom && (n = *cp++)) {
- /*
- * check for indirection
- */
- switch (n & INDIR_MASK) {
- case 0: /* normal case, n == len */
- cp += n;
- continue;
- case INDIR_MASK: /* indirection */
- cp++;
- break;
- default: /* illegal type */
- return (-1);
- }
- break;
- }
- if (cp > eom)
- return (-1);
- return (cp - comp_dn);
-}
-
-static int
-mklower(ch)
- register int ch;
-{
- if (isascii(ch) && isupper(ch))
- return (tolower(ch));
- return (ch);
-}
-
-/*
- * Search for expanded name from a list of previously compressed names.
- * Return the offset from msg if found or -1.
- * dnptrs is the pointer to the first name on the list,
- * not the pointer to the start of the message.
- */
-static int
-dn_find(exp_dn, msg, dnptrs, lastdnptr)
- u_char *exp_dn, *msg;
- u_char **dnptrs, **lastdnptr;
-{
- register u_char *dn, *cp, **cpp;
- register int n;
- u_char *sp;
+ const u_char *saveptr = ptr;
- for (cpp = dnptrs; cpp < lastdnptr; cpp++) {
- dn = exp_dn;
- sp = cp = *cpp;
- while (n = *cp++) {
- /*
- * check for indirection
- */
- switch (n & INDIR_MASK) {
- case 0: /* normal case, n == len */
- while (--n >= 0) {
- if (*dn == '.')
- goto next;
- if (*dn == '\\')
- dn++;
- if (mklower(*dn++) != mklower(*cp++))
- goto next;
- }
- if ((n = *dn++) == '\0' && *cp == '\0')
- return (sp - msg);
- if (n == '.')
- continue;
- goto next;
-
- case INDIR_MASK: /* indirection */
- cp = msg + (((n & 0x3f) << 8) | *cp);
- break;
-
- default: /* illegal type */
- return (-1);
- }
- }
- if (*dn == '\0')
- return (sp - msg);
- next: ;
- }
- return (-1);
+ if (ns_name_skip(&ptr, eom) == -1)
+ return (-1);
+ return (ptr - saveptr);
}
/*
@@ -510,3 +310,645 @@ __putlong(l, msgp)
{
PUTLONG(l, msgp);
}
+
+/* ++ From BIND 8.1.1. ++ */
+/*
+ * Copyright (c) 1996 by Internet Software Consortium.
+ *
+ * Permission to use, copy, modify, and distribute this software for any
+ * purpose with or without fee is hereby granted, provided that the above
+ * copyright notice and this permission notice appear in all copies.
+ *
+ * THE SOFTWARE IS PROVIDED "AS IS" AND INTERNET SOFTWARE CONSORTIUM DISCLAIMS
+ * ALL WARRANTIES WITH REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES
+ * OF MERCHANTABILITY AND FITNESS. IN NO EVENT SHALL INTERNET SOFTWARE
+ * CONSORTIUM BE LIABLE FOR ANY SPECIAL, DIRECT, INDIRECT, OR CONSEQUENTIAL
+ * DAMAGES OR ANY DAMAGES WHATSOEVER RESULTING FROM LOSS OF USE, DATA OR
+ * PROFITS, WHETHER IN AN ACTION OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS
+ * ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS
+ * SOFTWARE.
+ */
+
+/*"Id: ns_name.c,v 1.1 1997/12/13 02:41:13 vixie Exp vixie"*/
+
+/*#include "port_before.h"*/
+
+/*#include <sys/types.h>*/
+
+/*#include <netinet/in.h>*/
+/*#include <arpa/nameser.h>*/
+
+/*#include <errno.h>*/
+/*#include <resolv.h>*/
+/*#include <string.h>*/
+
+/*#include "port_after.h"*/
+
+#define NS_CMPRSFLGS 0xc0 /* Flag bits indicating name compression. */
+#define NS_MAXCDNAME 255 /* maximum compressed domain name */
+
+/* Data. */
+
+static char digits[] = "0123456789";
+
+/* Forward. */
+
+static int special(int);
+static int printable(int);
+static int dn_find(const u_char *, const u_char *,
+ const u_char * const *,
+ const u_char * const *);
+
+/* Public. */
+
+/*
+ * ns_name_ntop(src, dst, dstsiz)
+ * Convert an encoded domain name to printable ascii as per RFC1035.
+ * return:
+ * Number of bytes written to buffer, or -1 (with errno set)
+ * notes:
+ * The root is returned as "."
+ * All other domains are returned in non absolute form
+ */
+static int
+ns_name_ntop(src, dst, dstsiz)
+ const u_char *src;
+ char *dst;
+ size_t dstsiz;
+{
+ const u_char *cp;
+ char *dn, *eom;
+ u_char c;
+ u_int n;
+
+ cp = src;
+ dn = dst;
+ eom = dst + dstsiz;
+
+ while ((n = *cp++) != 0) {
+ if ((n & NS_CMPRSFLGS) != 0) {
+ /* Some kind of compression pointer. */
+ __set_errno (EMSGSIZE);
+ return (-1);
+ }
+ if (dn != dst) {
+ if (dn >= eom) {
+ __set_errno (EMSGSIZE);
+ return (-1);
+ }
+ *dn++ = '.';
+ }
+ if (dn + n >= eom) {
+ __set_errno (EMSGSIZE);
+ return (-1);
+ }
+ for ((void)NULL; n > 0; n--) {
+ c = *cp++;
+ if (special(c)) {
+ if (dn + 1 >= eom) {
+ __set_errno (EMSGSIZE);
+ return (-1);
+ }
+ *dn++ = '\\';
+ *dn++ = (char)c;
+ } else if (!printable(c)) {
+ if (dn + 3 >= eom) {
+ __set_errno (EMSGSIZE);
+ return (-1);
+ }
+ *dn++ = '\\';
+ *dn++ = digits[c / 100];
+ *dn++ = digits[(c % 100) / 10];
+ *dn++ = digits[c % 10];
+ } else {
+ if (dn >= eom) {
+ __set_errno (EMSGSIZE);
+ return (-1);
+ }
+ *dn++ = (char)c;
+ }
+ }
+ }
+ if (dn == dst) {
+ if (dn >= eom) {
+ __set_errno (EMSGSIZE);
+ return (-1);
+ }
+ *dn++ = '.';
+ }
+ if (dn >= eom) {
+ __set_errno (EMSGSIZE);
+ return (-1);
+ }
+ *dn++ = '\0';
+ return (dn - dst);
+}
+
+/*
+ * ns_name_pton(src, dst, dstsiz)
+ * Convert a ascii string into an encoded domain name as per RFC1035.
+ * return:
+ * -1 if it fails
+ * 1 if string was fully qualified
+ * 0 is string was not fully qualified
+ * notes:
+ * Enforces label and domain length limits.
+ */
+
+static int
+ns_name_pton(src, dst, dstsiz)
+ const char *src;
+ u_char *dst;
+ size_t dstsiz;
+{
+ u_char *label, *bp, *eom;
+ int c, n, escaped;
+ char *cp;
+
+ escaped = 0;
+ bp = dst;
+ eom = dst + dstsiz;
+ label = bp++;
+
+ while ((c = *src++) != 0) {
+ if (escaped) {
+ if ((cp = strchr(digits, c)) != NULL) {
+ n = (cp - digits) * 100;
+ if ((c = *src++) == 0 ||
+ (cp = strchr(digits, c)) == NULL) {
+ __set_errno (EMSGSIZE);
+ return (-1);
+ }
+ n += (cp - digits) * 10;
+ if ((c = *src++) == 0 ||
+ (cp = strchr(digits, c)) == NULL) {
+ __set_errno (EMSGSIZE);
+ return (-1);
+ }
+ n += (cp - digits);
+ if (n > 255) {
+ __set_errno (EMSGSIZE);
+ return (-1);
+ }
+ c = n;
+ }
+ escaped = 0;
+ } else if (c == '\\') {
+ escaped = 1;
+ continue;
+ } else if (c == '.') {
+ c = (bp - label - 1);
+ if ((c & NS_CMPRSFLGS) != 0) { /* Label too big. */
+ __set_errno (EMSGSIZE);
+ return (-1);
+ }
+ if (label >= eom) {
+ __set_errno (EMSGSIZE);
+ return (-1);
+ }
+ *label = c;
+ /* Fully qualified ? */
+ if (*src == '\0') {
+ if (c != 0) {
+ if (bp >= eom) {
+ __set_errno (EMSGSIZE);
+ return (-1);
+ }
+ *bp++ = '\0';
+ }
+ if ((bp - dst) > MAXCDNAME) {
+ __set_errno (EMSGSIZE);
+ return (-1);
+ }
+ return (1);
+ }
+ if (c == 0) {
+ __set_errno (EMSGSIZE);
+ return (-1);
+ }
+ label = bp++;
+ continue;
+ }
+ if (bp >= eom) {
+ __set_errno (EMSGSIZE);
+ return (-1);
+ }
+ *bp++ = (u_char)c;
+ }
+ c = (bp - label - 1);
+ if ((c & NS_CMPRSFLGS) != 0) { /* Label too big. */
+ __set_errno (EMSGSIZE);
+ return (-1);
+ }
+ if (label >= eom) {
+ __set_errno (EMSGSIZE);
+ return (-1);
+ }
+ *label = c;
+ if (c != 0) {
+ if (bp >= eom) {
+ __set_errno (EMSGSIZE);
+ return (-1);
+ }
+ *bp++ = 0;
+ }
+ if ((bp - dst) > MAXCDNAME) { /* src too big */
+ __set_errno (EMSGSIZE);
+ return (-1);
+ }
+ return (0);
+}
+
+/*
+ * ns_name_unpack(msg, eom, src, dst, dstsiz)
+ * Unpack a domain name from a message, source may be compressed.
+ * return:
+ * -1 if it fails, or consumed octets if it succeeds.
+ */
+static int
+ns_name_unpack(msg, eom, src, dst, dstsiz)
+ const u_char *msg;
+ const u_char *eom;
+ const u_char *src;
+ u_char *dst;
+ size_t dstsiz;
+{
+ const u_char *srcp, *dstlim;
+ u_char *dstp;
+#ifdef _LIBC
+ /* We don't want warnings! */
+ int n, len, checked;
+#else
+ int n, c, len, checked;
+#endif
+
+ len = -1;
+ checked = 0;
+ dstp = dst;
+ srcp = src;
+ dstlim = dst + dstsiz;
+ if (srcp < msg || srcp >= eom) {
+ __set_errno (EMSGSIZE);
+ return (-1);
+ }
+ /* Fetch next label in domain name. */
+ while ((n = *srcp++) != 0) {
+ /* Check for indirection. */
+ switch (n & NS_CMPRSFLGS) {
+ case 0:
+ /* Limit checks. */
+ if (dstp + n + 1 >= dstlim || srcp + n >= eom) {
+ __set_errno (EMSGSIZE);
+ return (-1);
+ }
+ checked += n + 1;
+ *dstp++ = n;
+ memcpy(dstp, srcp, n);
+ dstp += n;
+ srcp += n;
+ break;
+
+ case NS_CMPRSFLGS:
+ if (srcp >= eom) {
+ __set_errno (EMSGSIZE);
+ return (-1);
+ }
+ if (len < 0)
+ len = srcp - src + 1;
+ srcp = msg + (((n & 0x3f) << 8) | (*srcp & 0xff));
+ if (srcp < msg || srcp >= eom) { /* Out of range. */
+ __set_errno (EMSGSIZE);
+ return (-1);
+ }
+ checked += 2;
+ /*
+ * Check for loops in the compressed name;
+ * if we've looked at the whole message,
+ * there must be a loop.
+ */
+ if (checked >= eom - msg) {
+ __set_errno (EMSGSIZE);
+ return (-1);
+ }
+ break;
+
+ default:
+ __set_errno (EMSGSIZE);
+ return (-1); /* flag error */
+ }
+ }
+ *dstp = '\0';
+ if (len < 0)
+ len = srcp - src;
+ return (len);
+}
+
+/*
+ * ns_name_pack(src, dst, dstsiz, dnptrs, lastdnptr)
+ * Pack domain name 'domain' into 'comp_dn'.
+ * return:
+ * Size of the compressed name, or -1.
+ * notes:
+ * 'dnptrs' is an array of pointers to previous compressed names.
+ * dnptrs[0] is a pointer to the beginning of the message. The array
+ * ends with NULL.
+ * 'lastdnptr' is a pointer to the end of the array pointed to
+ * by 'dnptrs'.
+ * Side effects:
+ * The list of pointers in dnptrs is updated for labels inserted into
+ * the message as we compress the name. If 'dnptr' is NULL, we don't
+ * try to compress names. If 'lastdnptr' is NULL, we don't update the
+ * list.
+ */
+static int
+ns_name_pack(src, dst, dstsiz, dnptrs, lastdnptr)
+ const u_char *src;
+ u_char *dst;
+ int dstsiz;
+ const u_char **dnptrs;
+ const u_char **lastdnptr;
+{
+ u_char *dstp;
+ const u_char **cpp, **lpp, *eob, *msg;
+ const u_char *srcp;
+ int n, l;
+
+ srcp = src;
+ dstp = dst;
+ eob = dstp + dstsiz;
+ lpp = cpp = NULL;
+ if (dnptrs != NULL) {
+ if ((msg = *dnptrs++) != NULL) {
+ for (cpp = dnptrs; *cpp != NULL; cpp++)
+ (void)NULL;
+ lpp = cpp; /* end of list to search */
+ }
+ } else
+ msg = NULL;
+
+ /* make sure the domain we are about to add is legal */
+ l = 0;
+ do {
+ n = *srcp;
+ if ((n & NS_CMPRSFLGS) != 0) {
+ __set_errno (EMSGSIZE);
+ return (-1);
+ }
+ l += n + 1;
+ if (l > MAXCDNAME) {
+ __set_errno (EMSGSIZE);
+ return (-1);
+ }
+ srcp += n + 1;
+ } while (n != 0);
+
+ srcp = src;
+ do {
+ /* Look to see if we can use pointers. */
+ n = *srcp;
+ if (n != 0 && msg != NULL) {
+ l = dn_find(srcp, msg, (const u_char * const *)dnptrs,
+ (const u_char * const *)lpp);
+ if (l >= 0) {
+ if (dstp + 1 >= eob) {
+ __set_errno (EMSGSIZE);
+ return (-1);
+ }
+ *dstp++ = (l >> 8) | NS_CMPRSFLGS;
+ *dstp++ = l % 256;
+ return (dstp - dst);
+ }
+ /* Not found, save it. */
+ if (lastdnptr != NULL && cpp < lastdnptr - 1 &&
+ (dstp - msg) < 0x4000) {
+ *cpp++ = dstp;
+ *cpp = NULL;
+ }
+ }
+ /* copy label to buffer */
+ if (n & NS_CMPRSFLGS) { /* Should not happen. */
+ __set_errno (EMSGSIZE);
+ return (-1);
+ }
+ if (dstp + 1 + n >= eob) {
+ __set_errno (EMSGSIZE);
+ return (-1);
+ }
+ memcpy(dstp, srcp, n + 1);
+ srcp += n + 1;
+ dstp += n + 1;
+ } while (n != 0);
+
+ if (dstp > eob) {
+ if (msg != NULL)
+ *lpp = NULL;
+ __set_errno (EMSGSIZE);
+ return (-1);
+ }
+ return (dstp - dst);
+}
+
+/*
+ * ns_name_uncompress(msg, eom, src, dst, dstsiz)
+ * Expand compressed domain name to presentation format.
+ * return:
+ * Number of bytes read out of `src', or -1 (with errno set).
+ * note:
+ * Root domain returns as "." not "".
+ */
+static int
+ns_name_uncompress(msg, eom, src, dst, dstsiz)
+ const u_char *msg;
+ const u_char *eom;
+ const u_char *src;
+ char *dst;
+ size_t dstsiz;
+{
+ u_char tmp[NS_MAXCDNAME];
+ int n;
+
+ if ((n = ns_name_unpack(msg, eom, src, tmp, sizeof tmp)) == -1)
+ return (-1);
+ if (ns_name_ntop(tmp, dst, dstsiz) == -1)
+ return (-1);
+ return (n);
+}
+
+/*
+ * ns_name_compress(src, dst, dstsiz, dnptrs, lastdnptr)
+ * Compress a domain name into wire format, using compression pointers.
+ * return:
+ * Number of bytes consumed in `dst' or -1 (with errno set).
+ * notes:
+ * 'dnptrs' is an array of pointers to previous compressed names.
+ * dnptrs[0] is a pointer to the beginning of the message.
+ * The list ends with NULL. 'lastdnptr' is a pointer to the end of the
+ * array pointed to by 'dnptrs'. Side effect is to update the list of
+ * pointers for labels inserted into the message as we compress the name.
+ * If 'dnptr' is NULL, we don't try to compress names. If 'lastdnptr'
+ * is NULL, we don't update the list.
+ */
+static int
+ns_name_compress(src, dst, dstsiz, dnptrs, lastdnptr)
+ const char *src;
+ u_char *dst;
+ size_t dstsiz;
+ const u_char **dnptrs;
+ const u_char **lastdnptr;
+{
+ u_char tmp[NS_MAXCDNAME];
+
+ if (ns_name_pton(src, tmp, sizeof tmp) == -1)
+ return (-1);
+ return (ns_name_pack(tmp, dst, dstsiz, dnptrs, lastdnptr));
+}
+
+/*
+ * ns_name_skip(ptrptr, eom)
+ * Advance *ptrptr to skip over the compressed name it points at.
+ * return:
+ * 0 on success, -1 (with errno set) on failure.
+ */
+static int
+ns_name_skip(ptrptr, eom)
+ const u_char **ptrptr;
+ const u_char *eom;
+{
+ const u_char *cp;
+ u_int n;
+
+ cp = *ptrptr;
+ while (cp < eom && (n = *cp++) != 0) {
+ /* Check for indirection. */
+ switch (n & NS_CMPRSFLGS) {
+ case 0: /* normal case, n == len */
+ cp += n;
+ continue;
+ case NS_CMPRSFLGS: /* indirection */
+ cp++;
+ break;
+ default: /* illegal type */
+ __set_errno (EMSGSIZE);
+ return (-1);
+ }
+ break;
+ }
+ if (cp > eom) {
+ __set_errno (EMSGSIZE);
+ return (-1);
+ }
+ *ptrptr = cp;
+ return (0);
+}
+
+/* Private. */
+
+/*
+ * special(ch)
+ * Thinking in noninternationalized USASCII (per the DNS spec),
+ * is this characted special ("in need of quoting") ?
+ * return:
+ * boolean.
+ */
+static int
+special(ch)
+ int ch;
+{
+ switch (ch) {
+ case 0x22: /* '"' */
+ case 0x2E: /* '.' */
+ case 0x3B: /* ';' */
+ case 0x5C: /* '\\' */
+ /* Special modifiers in zone files. */
+ case 0x40: /* '@' */
+ case 0x24: /* '$' */
+ return (1);
+ default:
+ return (0);
+ }
+}
+
+/*
+ * printable(ch)
+ * Thinking in noninternationalized USASCII (per the DNS spec),
+ * is this character visible and not a space when printed ?
+ * return:
+ * boolean.
+ */
+static int
+printable(ch)
+ int ch;
+{
+ return (ch > 0x20 && ch < 0x7f);
+}
+
+/*
+ * Thinking in noninternationalized USASCII (per the DNS spec),
+ * convert this character to lower case if it's upper case.
+ */
+static int
+mklower(ch)
+ int ch;
+{
+ if (ch >= 0x41 && ch <= 0x5A)
+ return (ch + 0x20);
+ return (ch);
+}
+
+/*
+ * dn_find(domain, msg, dnptrs, lastdnptr)
+ * Search for the counted-label name in an array of compressed names.
+ * return:
+ * offset from msg if found, or -1.
+ * notes:
+ * dnptrs is the pointer to the first name on the list,
+ * not the pointer to the start of the message.
+ */
+static int
+dn_find(domain, msg, dnptrs, lastdnptr)
+ const u_char *domain;
+ const u_char *msg;
+ const u_char * const *dnptrs;
+ const u_char * const *lastdnptr;
+{
+ const u_char *dn, *cp, *sp;
+ const u_char * const *cpp;
+ u_int n;
+
+ for (cpp = dnptrs; cpp < lastdnptr; cpp++) {
+ dn = domain;
+ sp = cp = *cpp;
+ while ((n = *cp++) != 0) {
+ /*
+ * check for indirection
+ */
+ switch (n & NS_CMPRSFLGS) {
+ case 0: /* normal case, n == len */
+ if (n != *dn++)
+ goto next;
+ for ((void)NULL; n > 0; n--)
+ if (mklower(*dn++) != mklower(*cp++))
+ goto next;
+ /* Is next root for both ? */
+ if (*dn == '\0' && *cp == '\0')
+ return (sp - msg);
+ if (*dn)
+ continue;
+ goto next;
+
+ case NS_CMPRSFLGS: /* indirection */
+ cp = msg + (((n & 0x3f) << 8) | *cp);
+ break;
+
+ default: /* illegal type */
+ __set_errno (EMSGSIZE);
+ return (-1);
+ }
+ }
+ next: ;
+ }
+ __set_errno (ENOENT);
+ return (-1);
+}
+
+/* -- From BIND 8.1.1. -- */
diff --git a/resolv/res_send.c b/resolv/res_send.c
index eb159be..e5c6e03 100644
--- a/resolv/res_send.c
+++ b/resolv/res_send.c
@@ -214,6 +214,8 @@ res_isourserver(inp)
/* int
* res_nameinquery(name, type, class, buf, eom)
* look for (name,type,class) in the query section of packet (buf,eom)
+ * requires:
+ * buf + HFIXESDZ <= eom
* returns:
* -1 : format error
* 0 : not found
@@ -238,6 +240,8 @@ res_nameinquery(name, type, class, buf, eom)
if (n < 0)
return (-1);
cp += n;
+ if (cp + 2 * INT16SZ > eom)
+ return (-1);
ttype = _getshort(cp); cp += INT16SZ;
tclass = _getshort(cp); cp += INT16SZ;
if (ttype == type &&
@@ -267,6 +271,9 @@ res_queriesmatch(buf1, eom1, buf2, eom2)
register const u_char *cp = buf1 + HFIXEDSZ;
int qdcount = ntohs(((HEADER*)buf1)->qdcount);
+ if (buf1 + HFIXEDSZ > eom1 || buf2 + HFIXEDSZ > eom2)
+ return (-1);
+
if (qdcount != ntohs(((HEADER*)buf2)->qdcount))
return (0);
while (qdcount-- > 0) {
@@ -277,6 +284,8 @@ res_queriesmatch(buf1, eom1, buf2, eom2)
if (n < 0)
return (-1);
cp += n;
+ if (cp + 2 * INT16SZ > eom1)
+ return (-1);
ttype = _getshort(cp); cp += INT16SZ;
tclass = _getshort(cp); cp += INT16SZ;
if (!res_nameinquery(tname, ttype, tclass, buf2, eom2))
@@ -302,6 +311,10 @@ res_send(buf, buflen, ans, anssiz)
/* errno should have been set by res_init() in this case. */
return (-1);
}
+ if (anssiz < HFIXEDSZ) {
+ __set_errno (EINVAL);
+ return (-1);
+ }
DprintQ((_res.options & RES_DEBUG) || (_res.pfcode & RES_PRF_QUERY),
(stdout, ";; res_send()\n"), buf, buflen);
v_circuit = (_res.options & RES_USEVC) || buflen > PACKETSZ;
@@ -446,6 +459,17 @@ read_len:
len = anssiz;
} else
len = resplen;
+ if (len < HFIXEDSZ) {
+ /*
+ * Undersized message.
+ */
+ Dprint(_res.options & RES_DEBUG,
+ (stdout, ";; undersized: %d\n", len));
+ terrno = EMSGSIZE;
+ badns |= (1 << ns);
+ res_close();
+ goto next_ns;
+ }
cp = ans;
while (len != 0 &&
(n = read(s, (char *)cp, (int)len)) > 0) {
@@ -601,12 +625,12 @@ read_len:
if ((long) timeout.tv_sec <= 0)
timeout.tv_sec = 1;
timeout.tv_usec = 0;
- if (s+1 > FD_SETSIZE) {
- Perror(stderr, "s+1 > FD_SETSIZE", EMFILE);
+ wait:
+ if (s < 0 || s >= FD_SETSIZE) {
+ Perror(stderr, "s out-of-bounds", EMFILE);
res_close();
goto next_ns;
}
- wait:
FD_ZERO(&dsmask);
FD_SET(s, &dsmask);
n = select(s+1, &dsmask, (fd_set *)NULL,
@@ -638,6 +662,18 @@ read_len:
goto next_ns;
}
gotsomewhere = 1;
+ if (resplen < HFIXEDSZ) {
+ /*
+ * Undersized message.
+ */
+ Dprint(_res.options & RES_DEBUG,
+ (stdout, ";; undersized: %d\n",
+ resplen));
+ terrno = EMSGSIZE;
+ badns |= (1 << ns);
+ res_close();
+ goto next_ns;
+ }
if (hp->id != anhp->id) {
/*
* response from old query, ignore it.