From cff2c78c513ef8d51e69a6933f1c6aef8a24a6d6 Mon Sep 17 00:00:00 2001
From: Florian Weimer <fweimer@redhat.com>
Date: Mon, 19 Jul 2021 07:55:27 +0200
Subject: resolv: Move ns_name_skip to its own file and into libc (bug 28091)

And reformat to GNU style.  Avoid out-of-bounds pointer arithmetic.
This also results in a fix of bug 28091 due to the additional packet
length checks.

The symbol was moved using scripts/move-symbol-to-libc.py.

Reviewed-by: Carlos O'Donell <carlos@systemhalted.org>
---
 resolv/Makefile       |  1 +
 resolv/Versions       |  5 +++-
 resolv/ns_name.c      | 37 ---------------------------
 resolv/ns_name_skip.c | 70 +++++++++++++++++++++++++++++++++++++++++++++++++++
 4 files changed, 75 insertions(+), 38 deletions(-)
 create mode 100644 resolv/ns_name_skip.c

(limited to 'resolv')

diff --git a/resolv/Makefile b/resolv/Makefile
index 469a9a5..91ce46a 100644
--- a/resolv/Makefile
+++ b/resolv/Makefile
@@ -33,6 +33,7 @@ routines := \
   inet_ntop \
   inet_pton \
   ns_name_ntop \
+  ns_name_skip \
   ns_name_unpack \
   nsap_addr \
   res-close \
diff --git a/resolv/Versions b/resolv/Versions
index 9b5c4d9..b075881 100644
--- a/resolv/Versions
+++ b/resolv/Versions
@@ -26,6 +26,7 @@ libc {
   }
   GLIBC_2.9 {
     ns_name_ntop;
+    ns_name_skip;
     ns_name_unpack;
   }
   GLIBC_2.34 {
@@ -36,6 +37,7 @@ libc {
     getaddrinfo_a;
 %endif
     ns_name_ntop;
+    ns_name_skip;
     ns_name_unpack;
   }
   GLIBC_PRIVATE {
@@ -45,9 +47,10 @@ libc {
     __h_errno;
     __inet_aton_exact;
     __inet_pton_length;
-    __res_iclose;
     __ns_name_ntop;
+    __ns_name_skip;
     __ns_name_unpack;
+    __res_iclose;
     __resolv_context_get;
     __resolv_context_get_override;
     __resolv_context_get_preinit;
diff --git a/resolv/ns_name.c b/resolv/ns_name.c
index a0d541f..58d6a60 100644
--- a/resolv/ns_name.c
+++ b/resolv/ns_name.c
@@ -397,43 +397,6 @@ ns_name_rollback(const u_char *src, const u_char **dnptrs,
 	}
 }
 
-/*%
- *	Advance *ptrptr to skip over the compressed name it points at.
- *
- * return:
- *\li	0 on success, -1 (with errno set) on failure.
- */
-int
-ns_name_skip(const u_char **ptrptr, const u_char *eom)
-{
-	const u_char *cp;
-	u_int n;
-
-	cp = *ptrptr;
-	while (cp < eom && (n = *cp++) != 0) {
-		/* Check for indirection. */
-		switch (n & NS_CMPRSFLGS) {
-		case 0:			/*%< normal case, n == len */
-			cp += n;
-			continue;
-		case NS_CMPRSFLGS:	/*%< indirection */
-			cp++;
-			break;
-		default:		/*%< illegal type */
-			__set_errno (EMSGSIZE);
-			return (-1);
-		}
-		break;
-	}
-	if (cp > eom) {
-		__set_errno (EMSGSIZE);
-		return (-1);
-	}
-	*ptrptr = cp;
-	return (0);
-}
-libresolv_hidden_def (ns_name_skip)
-
 /* Private. */
 
 /*%
diff --git a/resolv/ns_name_skip.c b/resolv/ns_name_skip.c
new file mode 100644
index 0000000..c26d658
--- /dev/null
+++ b/resolv/ns_name_skip.c
@@ -0,0 +1,70 @@
+/* Skip over a (potentially compressed) domain name in wire format.
+ * Copyright (c) 2004 by Internet Systems Consortium, Inc. ("ISC")
+ * Copyright (c) 1996,1999 by Internet Software Consortium.
+ *
+ * Permission to use, copy, modify, and distribute this software for any
+ * purpose with or without fee is hereby granted, provided that the above
+ * copyright notice and this permission notice appear in all copies.
+ *
+ * THE SOFTWARE IS PROVIDED "AS IS" AND ISC DISCLAIMS ALL WARRANTIES
+ * WITH REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF
+ * MERCHANTABILITY AND FITNESS.  IN NO EVENT SHALL ISC BE LIABLE FOR
+ * ANY SPECIAL, DIRECT, INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES
+ * WHATSOEVER RESULTING FROM LOSS OF USE, DATA OR PROFITS, WHETHER IN AN
+ * ACTION OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT
+ * OF OR IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE.
+ */
+
+#include <arpa/nameser.h>
+#include <errno.h>
+#include <shlib-compat.h>
+
+/* Advances *PTRPTR to skip over the compressed name it points at.
+   Returns 0 on success, -1 (with errno set) on failure.  */
+int
+___ns_name_skip (const unsigned char **ptrptr, const unsigned char *eom)
+{
+  const unsigned char *cp;
+  unsigned int n;
+
+  cp = *ptrptr;
+  while (cp < eom)
+    {
+      n = *cp++;
+      if (n == 0)
+        {
+          /* End of domain name without indirection.  */
+          *ptrptr = cp;
+          return 0;
+        }
+
+      /* Check for indirection.  */
+      switch (n & NS_CMPRSFLGS)
+        {
+        case 0:                 /* Normal case, n == len.  */
+          if (eom - cp < n)
+            goto malformed;
+          cp += n;
+          break;
+        case NS_CMPRSFLGS:      /* Indirection.  */
+          if (cp == eom)
+            /* No room for second indirection byte.  */
+            goto malformed;
+          *ptrptr = cp + 1;
+          return 0;
+        default:                /* Illegal type.  */
+          goto malformed;
+        }
+    }
+
+ malformed:
+  __set_errno (EMSGSIZE);
+  return -1;
+}
+versioned_symbol (libc, ___ns_name_skip, ns_name_skip, GLIBC_2_34);
+versioned_symbol (libc, ___ns_name_skip, __ns_name_skip, GLIBC_PRIVATE);
+libc_hidden_ver (___ns_name_skip, __ns_name_skip)
+
+#if OTHER_SHLIB_COMPAT (libresolv, GLIBC_2_9, GLIBC_2_34)
+compat_symbol (libresolv, ___ns_name_skip, ns_name_skip, GLIBC_2_9);
+#endif
-- 
cgit v1.1