diff options
author | ume <ume@FreeBSD.org> | 2014-08-30 10:25:41 +0000 |
---|---|---|
committer | ume <ume@FreeBSD.org> | 2014-08-30 10:25:41 +0000 |
commit | 82bd2f3628742196d0d236ab7101a77d11199821 (patch) | |
tree | b175c4422bf4260fca50658867d18df29bf39b7c | |
parent | 7642dd9269b5e4ac7a60c333921d606f62925a5a (diff) | |
download | FreeBSD-src-82bd2f3628742196d0d236ab7101a77d11199821.zip FreeBSD-src-82bd2f3628742196d0d236ab7101a77d11199821.tar.gz |
MFC r269873:
Fix broken pointer overflow check ns_name_unpack()
Many compilers may optimize away the overflow check `msg + l < msg',
where `msg' is a pointer and `l' is an integer, because pointer
overflow is undefined behavior in C.
Use a safe precondition test `l >= eom - msg' instead.
Reference:
https://android-review.googlesource.com/#/c/50570/
Requested by: pfg
Obtained from: NetBSD (CVS rev. 1.10)
-rw-r--r-- | lib/libc/nameser/ns_name.c | 5 |
1 files changed, 3 insertions, 2 deletions
diff --git a/lib/libc/nameser/ns_name.c b/lib/libc/nameser/ns_name.c index 1f37406..5b8a8cb 100644 --- a/lib/libc/nameser/ns_name.c +++ b/lib/libc/nameser/ns_name.c @@ -463,11 +463,12 @@ ns_name_unpack2(const u_char *msg, const u_char *eom, const u_char *src, } if (len < 0) len = srcp - src + 1; - srcp = msg + (((n & 0x3f) << 8) | (*srcp & 0xff)); - if (srcp < msg || srcp >= eom) { /*%< Out of range. */ + l = ((n & 0x3f) << 8) | (*srcp & 0xff); + if (l >= eom - msg) { /*%< Out of range. */ errno = EMSGSIZE; return (-1); } + srcp = msg + l; checked += 2; /* * Check for loops in the compressed name; |