diff options
author | Ulrich Drepper <drepper@redhat.com> | 1998-05-29 10:21:16 +0000 |
---|---|---|
committer | Ulrich Drepper <drepper@redhat.com> | 1998-05-29 10:21:16 +0000 |
commit | 66715f834cb1f2f5c3742e94f73bd630ea4b14eb (patch) | |
tree | ddf10eb9dab578cbe895b7bf351584d47f64a2fc /resolv/res_send.c | |
parent | f962d792472c45c9bccdc6b0697ad3d6350e9270 (diff) | |
download | glibc-66715f834cb1f2f5c3742e94f73bd630ea4b14eb.zip glibc-66715f834cb1f2f5c3742e94f73bd630ea4b14eb.tar.gz glibc-66715f834cb1f2f5c3742e94f73bd630ea4b14eb.tar.bz2 |
Update.
1998-05-28 00:53 Zack Weinberg <zack@rabi.phys.columbia.edu>
* glibcbug.in: Send to bugs@gnu or libc-alpha@cygnus depending
on whether this is a stable release or not (keeps snapshot bug
reports out of the database).
* include/libc-symbols.h: Use __ASSEMBLER__ test macro not ASSEMBLER.
* sysdeps/arm/sysdep.h: Likewise.
* sysdeps/i386/sysdep.h: Likewise.
* sysdeps/m68k/sysdep.h: Likewise.
* sysdeps/mach/mips/sysdep.h: Likewise.
* sysdeps/mach/sys/reboot.h: Likewise.
* sysdeps/mach/sysdep.h: Likewise.
* sysdeps/unix/alpha/sysdep.h: Likewise.
* sysdeps/unix/bsd/hp/m68k/sysdep.h: Likewise.
* sysdeps/unix/bsd/osf/alpha/sysdep.h: Likewise.
* sysdeps/unix/bsd/sequent/i386/sysdep.h: Likewise.
* sysdeps/unix/bsd/sony/newsos/m68k/sysdep.h: Likewise.
* sysdeps/unix/bsd/sun/m68k/sysdep.h: Likewise.
* sysdeps/unix/bsd/vax/sysdep.h: Likewise.
* sysdeps/unix/i386/sysdep.h: Likewise.
* sysdeps/unix/mips/sysdep.h: Likewise.
* sysdeps/unix/sparc/sysdep.h: Likewise.
* sysdeps/unix/sysv/linux/alpha/sysdep.h: Likewise.
* sysdeps/unix/sysv/linux/arm/sysdep.h: Likewise.
* sysdeps/unix/sysv/linux/i386/sysdep.h: Likewise.
* sysdeps/unix/sysv/linux/m68k/sysdep.h: Likewise.
* sysdeps/unix/sysv/linux/powerpc/sysdep.h: Likewise.
* sysdeps/unix/sysv/linux/sparc/sparc32/sysdep.h: Likewise.
* sysdeps/unix/sysv/linux/sparc/sparc64/sysdep.h: Likewise.
* sysdeps/unix/sysv/sysv4/solaris2/sparc/sysdep.h: Likewise.
1998-05-27 Mark Kettenis <kettenis@phys.uva.nl>
* mach/Machrules: Use $(move-if-change).
1998-05-27 Mark Kettenis <kettenis@phys.uva.nl>
* Makeconfig [elf=yes] (+interp): New variable, set to interp.os.
* Makerules (lib%.so): Depend on $(+interp).
(libc.so): Add interp.os to list of dependencies.
(interp-obj): Remove variable.
* mach/Machrules (+interp): Define to empty since libhurduser and
libmachuser don't need to have the interpreter set.
1998-05-28 Andreas Jaeger <aj@arthur.rhein-neckar.de>
* resolv/res_send.c: Security fixes from bind 4.9.7-REL.
* resolv/gethnamaddr.c: Likewise.
* resolv/res_comp.c: Likewise.
1998-05-28 Mark Kettenis <kettenis@phys.uva.nl>
* sysdeps/mach/hurd/wait4.c (__wait4): Use ANSI-style definition
so that transparent union works.
Diffstat (limited to 'resolv/res_send.c')
-rw-r--r-- | resolv/res_send.c | 42 |
1 files changed, 39 insertions, 3 deletions
diff --git a/resolv/res_send.c b/resolv/res_send.c index eb159be..e5c6e03 100644 --- a/resolv/res_send.c +++ b/resolv/res_send.c @@ -214,6 +214,8 @@ res_isourserver(inp) /* int * res_nameinquery(name, type, class, buf, eom) * look for (name,type,class) in the query section of packet (buf,eom) + * requires: + * buf + HFIXESDZ <= eom * returns: * -1 : format error * 0 : not found @@ -238,6 +240,8 @@ res_nameinquery(name, type, class, buf, eom) if (n < 0) return (-1); cp += n; + if (cp + 2 * INT16SZ > eom) + return (-1); ttype = _getshort(cp); cp += INT16SZ; tclass = _getshort(cp); cp += INT16SZ; if (ttype == type && @@ -267,6 +271,9 @@ res_queriesmatch(buf1, eom1, buf2, eom2) register const u_char *cp = buf1 + HFIXEDSZ; int qdcount = ntohs(((HEADER*)buf1)->qdcount); + if (buf1 + HFIXEDSZ > eom1 || buf2 + HFIXEDSZ > eom2) + return (-1); + if (qdcount != ntohs(((HEADER*)buf2)->qdcount)) return (0); while (qdcount-- > 0) { @@ -277,6 +284,8 @@ res_queriesmatch(buf1, eom1, buf2, eom2) if (n < 0) return (-1); cp += n; + if (cp + 2 * INT16SZ > eom1) + return (-1); ttype = _getshort(cp); cp += INT16SZ; tclass = _getshort(cp); cp += INT16SZ; if (!res_nameinquery(tname, ttype, tclass, buf2, eom2)) @@ -302,6 +311,10 @@ res_send(buf, buflen, ans, anssiz) /* errno should have been set by res_init() in this case. */ return (-1); } + if (anssiz < HFIXEDSZ) { + __set_errno (EINVAL); + return (-1); + } DprintQ((_res.options & RES_DEBUG) || (_res.pfcode & RES_PRF_QUERY), (stdout, ";; res_send()\n"), buf, buflen); v_circuit = (_res.options & RES_USEVC) || buflen > PACKETSZ; @@ -446,6 +459,17 @@ read_len: len = anssiz; } else len = resplen; + if (len < HFIXEDSZ) { + /* + * Undersized message. + */ + Dprint(_res.options & RES_DEBUG, + (stdout, ";; undersized: %d\n", len)); + terrno = EMSGSIZE; + badns |= (1 << ns); + res_close(); + goto next_ns; + } cp = ans; while (len != 0 && (n = read(s, (char *)cp, (int)len)) > 0) { @@ -601,12 +625,12 @@ read_len: if ((long) timeout.tv_sec <= 0) timeout.tv_sec = 1; timeout.tv_usec = 0; - if (s+1 > FD_SETSIZE) { - Perror(stderr, "s+1 > FD_SETSIZE", EMFILE); + wait: + if (s < 0 || s >= FD_SETSIZE) { + Perror(stderr, "s out-of-bounds", EMFILE); res_close(); goto next_ns; } - wait: FD_ZERO(&dsmask); FD_SET(s, &dsmask); n = select(s+1, &dsmask, (fd_set *)NULL, @@ -638,6 +662,18 @@ read_len: goto next_ns; } gotsomewhere = 1; + if (resplen < HFIXEDSZ) { + /* + * Undersized message. + */ + Dprint(_res.options & RES_DEBUG, + (stdout, ";; undersized: %d\n", + resplen)); + terrno = EMSGSIZE; + badns |= (1 << ns); + res_close(); + goto next_ns; + } if (hp->id != anhp->id) { /* * response from old query, ignore it. |