Update libc dns code to 4.9.7-T1B level. This involved chopping out large

chunks of res_comp.c and replacing it with chunks of bind-8.1.1's resolver
code.  (There are no interface changes though)
The other parts are better bounds checking related.

3 files changed, 753 insertions, 249 deletions

diff --git a/lib/libc/net/gethostbydns.c b/lib/libc/net/gethostbydns.c
index 4d13e2e..b27d234 100644
--- a/lib/libc/net/gethostbydns.c
+++ b/lib/libc/net/gethostbydns.c
@@ -55,8 +55,8 @@
 
 #if defined(LIBC_SCCS) && !defined(lint)
 static char sccsid[] = "@(#)gethostnamadr.c	8.1 (Berkeley) 6/4/93";
-static char fromrcsid[] = "From: Id: gethnamaddr.c,v 8.21 1997/06/01 20:34:37 vixie Exp";
-static char rcsid[] = "$Id: gethostbydns.c,v 1.21 1997/03/12 11:02:00 peter Exp $";
+static char fromrcsid[] = "From: Id: gethnamaddr.c,v 8.23 1998/04/07 04:59:46 vixie Exp $";
+static char rcsid[] = "$Id: gethostbydns.c,v 1.22 1997/06/27 08:22:01 peter Exp $";
 #endif /* LIBC_SCCS and not lint */
 
 #include <sys/types.h>
@@ -132,6 +132,23 @@ dprintf(msg, num)
 # define dprintf(msg, num) /*nada*/
 #endif
 
+#define BOUNDED_INCR(x) \
+	do { \
+		cp += x; \
+		if (cp > eom) { \
+			h_errno = NO_RECOVERY; \
+			return (NULL); \
+		} \
+	} while (0)
+
+#define BOUNDS_CHECK(ptr, count) \
+	do { \
+		if ((ptr) + (count) > eom) { \
+			h_errno = NO_RECOVERY; \
+			return (NULL); \
+		} \
+	} while (0)
+
 static struct hostent *
 gethostanswer(answer, anslen, qname, qtype)
 	const querybuf *answer;
@@ -142,7 +159,7 @@ gethostanswer(answer, anslen, qname, qtype)
 	register const HEADER *hp;
 	register const u_char *cp;
 	register int n;
-	const u_char *eom;
+	const u_char *eom, *erdata;
 	char *bp, **ap, **hap;
 	int type, class, buflen, ancount, qdcount;
 	int haveanswer, had_error;
@@ -174,7 +191,8 @@ gethostanswer(answer, anslen, qname, qtype)
 	qdcount = ntohs(hp->qdcount);
 	bp = hostbuf;
 	buflen = sizeof hostbuf;
-	cp = answer->buf + HFIXEDSZ;
+	cp = answer->buf;
+	BOUNDED_INCR(HFIXEDSZ);
 	if (qdcount != 1) {
 		h_errno = NO_RECOVERY;
 		return (NULL);
@@ -184,7 +202,7 @@ gethostanswer(answer, anslen, qname, qtype)
 		h_errno = NO_RECOVERY;
 		return (NULL);
 	}
-	cp += n + QFIXEDSZ;
+	BOUNDED_INCR(n + QFIXEDSZ);
 	if (qtype == T_A || qtype == T_AAAA) {
 		/* res_send() has already verified that the query name is the
 		 * same as the one we sent; this just gets the expanded name
@@ -217,6 +235,7 @@ gethostanswer(answer, anslen, qname, qtype)
 			continue;
 		}
 		cp += n;			/* name */
+		BOUNDS_CHECK(cp, 3 * INT16SZ + INT32SZ);
 		type = _getshort(cp);
  		cp += INT16SZ;			/* type */
 		class = _getshort(cp);
@@ -226,6 +245,8 @@ gethostanswer(answer, anslen, qname, qtype)
 		cp += INT32SZ;			/* TTL */
 		n = _getshort(cp);
 		cp += INT16SZ;			/* len */
+		BOUNDS_CHECK(cp, n);
+		erdata = cp + n;
 		if (class != C_IN) {
 			/* XXX - debug? syslog? */
 			cp += n;
@@ -240,6 +261,10 @@ gethostanswer(answer, anslen, qname, qtype)
 				continue;
 			}
 			cp += n;
+			if (cp != erdata) {
+				h_errno = NO_RECOVERY;
+				return (NULL);
+			}
 			/* Store alias. */
 			*ap++ = bp;
 			n = strlen(bp) + 1;	/* for the \0 */
@@ -268,6 +293,10 @@ gethostanswer(answer, anslen, qname, qtype)
 				continue;
 			}
 			cp += n;
+			if (cp != erdata) {
+				h_errno = NO_RECOVERY;
+				return (NULL);
+			}
 			/* Get canonical name. */
 			n = strlen(tbuf) + 1;	/* for the \0 */
 			if (n > buflen || n >= MAXHOSTNAMELEN) {
@@ -303,6 +332,10 @@ gethostanswer(answer, anslen, qname, qtype)
 			}
 #if MULTI_PTRS_ARE_ALIASES
 			cp += n;
+			if (cp != erdata) {
+				h_errno = NO_RECOVERY;
+				return (NULL);
+			}
 			if (!haveanswer)
 				host.h_name = bp;
 			else if (ap < &host_aliases[MAXALIASES-1])
@@ -373,6 +406,10 @@ gethostanswer(answer, anslen, qname, qtype)
 			bp += n;
 			buflen -= n;
 			cp += n;
+			if (cp != erdata) {
+				h_errno = NO_RECOVERY;
+				return (NULL);
+			}
 			break;
 		default:
 			dprintf("Impossible condition (type=%d)\n", type);
diff --git a/lib/libc/net/res_comp.c b/lib/libc/net/res_comp.c
index 86fd4ae..8cd7469 100644
--- a/lib/libc/net/res_comp.c
+++ b/lib/libc/net/res_comp.c
@@ -55,8 +55,8 @@
 
 #if defined(LIBC_SCCS) && !defined(lint)
 static char sccsid[] = "@(#)res_comp.c	8.1 (Berkeley) 6/4/93";
-static char orig_rcsid[] = "From: Id: res_comp.c,v 8.12 1997/06/01 20:34:37 vixie Exp";
-static char rcsid[] = "$Id: res_comp.c,v 1.11 1997/06/13 19:21:54 ache Exp $";
+static char orig_rcsid[] = "From: Id: res_comp.c,v 8.13 1998/04/07 04:24:06 vixie Exp $";
+static char rcsid[] = "$Id: res_comp.c,v 1.12 1997/06/27 08:22:02 peter Exp $";
 #endif /* LIBC_SCCS and not lint */
 
 #include <sys/types.h>
@@ -67,12 +67,22 @@ static char rcsid[] = "$Id: res_comp.c,v 1.11 1997/06/13 19:21:54 ache Exp $";
 #include <stdio.h>
 #include <resolv.h>
 #include <ctype.h>
+#include <errno.h>
 
 #include <unistd.h>
 #include <string.h>
 
-static int	dn_find __P((u_char *exp_dn, u_char *msg,
-			     u_char **dnptrs, u_char **lastdnptr));
+static int	ns_name_ntop __P((const u_char *, char *, size_t));
+static int	ns_name_pton __P((const char *, u_char *, size_t));
+static int	ns_name_unpack __P((const u_char *, const u_char *,
+				    const u_char *, u_char *, size_t));
+static int	ns_name_pack __P((const u_char *, u_char *, int,
+				  const u_char **, const u_char **));
+static int	ns_name_uncompress __P((const u_char *, const u_char *,
+					const u_char *, char *, size_t));
+static int	ns_name_compress __P((const char *, u_char *, size_t,
+				      const u_char **, const u_char **));
+static int	ns_name_skip __P((const u_char **, const u_char *));
 
 /*
  * Expand compressed domain name 'comp_dn' to full domain name.
@@ -82,261 +92,40 @@ static int	dn_find __P((u_char *exp_dn, u_char *msg,
  * Return size of compressed name or -1 if there was an error.
  */
 int
-dn_expand(msg, eomorig, comp_dn, exp_dn, length)
-	const u_char *msg, *eomorig, *comp_dn;
-	char *exp_dn;
-	int length;
+dn_expand(const u_char *msg, const u_char *eom, const u_char *src,
+	  char *dst, int dstsiz)
 {
-	register const u_char *cp;
-	register char *dn;
-	register int n, c;
-	char *eom;
-	int len = -1, checked = 0, octets = 0;
-
-	dn = exp_dn;
-	cp = comp_dn;
-	eom = exp_dn + length;
-	/*
-	 * fetch next label in domain name
-	 */
-	while ( (n = *cp++) ) {
-		/*
-		 * Check for indirection
-		 */
-		switch (n & INDIR_MASK) {
-		case 0:
-			octets += (n + 1);
-			if (octets > MAXCDNAME)
-				return (-1);
-			if (dn != exp_dn) {
-				if (dn >= eom)
-					return (-1);
-				*dn++ = '.';
-			}
-			if (dn+n >= eom)
-				return (-1);
-			checked += n + 1;
-			while (--n >= 0) {
-				if (((c = *cp++) == '.') || (c == '\\')) {
-					if (dn + n + 2 >= eom)
-						return (-1);
-					*dn++ = '\\';
-				}
-				*dn++ = c;
-				if (cp >= eomorig)	/* out of range */
-					return (-1);
-			}
-			break;
-
-		case INDIR_MASK:
-			if (len < 0)
-				len = cp - comp_dn + 1;
-			cp = msg + (((n & 0x3f) << 8) | (*cp & 0xff));
-			if (cp < msg || cp >= eomorig)	/* out of range */
-				return (-1);
-			checked += 2;
-			/*
-			 * Check for loops in the compressed name;
-			 * if we've looked at the whole message,
-			 * there must be a loop.
-			 */
-			if (checked >= eomorig - msg)
-				return (-1);
-			break;
+	int n = ns_name_uncompress(msg, eom, src, dst, (size_t)dstsiz);
 
-		default:
-			return (-1);			/* flag error */
-		}
-	}
-	*dn = '\0';
-	if (len < 0)
-		len = cp - comp_dn;
-	return (len);
+	if (n > 0 && dst[0] == '.')
+		dst[0] = '\0';
+	return (n);
 }
 
 /*
- * Compress domain name 'exp_dn' into 'comp_dn'.
+ * Pack domain name 'exp_dn' in presentation form into 'comp_dn'.
  * Return the size of the compressed name or -1.
  * 'length' is the size of the array pointed to by 'comp_dn'.
- * 'dnptrs' is a list of pointers to previous compressed names. dnptrs[0]
- * is a pointer to the beginning of the message. The list ends with NULL.
- * 'lastdnptr' is a pointer to the end of the arrary pointed to
- * by 'dnptrs'. Side effect is to update the list of pointers for
- * labels inserted into the message as we compress the name.
- * If 'dnptr' is NULL, we don't try to compress names. If 'lastdnptr'
- * is NULL, we don't update the list.
  */
 int
-dn_comp(exp_dn, comp_dn, length, dnptrs, lastdnptr)
-	const char *exp_dn;
-	u_char *comp_dn, **dnptrs, **lastdnptr;
-	int length;
+dn_comp(const char *src, u_char *dst, int dstsiz,
+	u_char **dnptrs, u_char **lastdnptr)
 {
-	register u_char *cp, *dn;
-	register int c, l;
-	u_char **cpp, **lpp, *sp, *eob;
-	u_char *msg;
-
-	dn = (u_char *)exp_dn;
-	cp = comp_dn;
-	if (length > MAXCDNAME)
-		length = MAXCDNAME;
-	eob = cp + length;
-	lpp = cpp = NULL;
-	if (dnptrs != NULL) {
-		if ((msg = *dnptrs++) != NULL) {
-			for (cpp = dnptrs; *cpp != NULL; cpp++)
-				;
-			lpp = cpp;	/* end of list to search */
-		}
-	} else
-		msg = NULL;
-	for (c = *dn++; c != '\0'; ) {
-		/* look to see if we can use pointers */
-		if (msg != NULL) {
-			if ((l = dn_find(dn-1, msg, dnptrs, lpp)) >= 0) {
-				if (cp+1 >= eob)
-					return (-1);
-				*cp++ = (l >> 8) | INDIR_MASK;
-				*cp++ = l % 256;
-				return (cp - comp_dn);
-			}
-			/* not found, save it */
-			if (lastdnptr != NULL && cpp < lastdnptr-1) {
-				*cpp++ = cp;
-				*cpp = NULL;
-			}
-		}
-		sp = cp++;	/* save ptr to length byte */
-		do {
-			if (c == '.') {
-				c = *dn++;
-				break;
-			}
-			if (c == '\\') {
-				if ((c = *dn++) == '\0')
-					break;
-			}
-			if (cp >= eob) {
-				if (msg != NULL)
-					*lpp = NULL;
-				return (-1);
-			}
-			*cp++ = c;
-		} while ((c = *dn++) != '\0');
-		/* catch trailing '.'s but not '..' */
-		if ((l = cp - sp - 1) == 0 && c == '\0') {
-			cp--;
-			break;
-		}
-		if (l <= 0 || l > MAXLABEL) {
-			if (msg != NULL)
-				*lpp = NULL;
-			return (-1);
-		}
-		*sp = l;
-	}
-	if (cp >= eob) {
-		if (msg != NULL)
-			*lpp = NULL;
-		return (-1);
-	}
-	*cp++ = '\0';
-	return (cp - comp_dn);
+	return (ns_name_compress(src, dst, (size_t)dstsiz,
+				 (const u_char **)dnptrs,
+				 (const u_char **)lastdnptr));
 }
 
 /*
  * Skip over a compressed domain name. Return the size or -1.
  */
 int
-__dn_skipname(comp_dn, eom)
-	const u_char *comp_dn, *eom;
-{
-	register const u_char *cp;
-	register int n;
-
-	cp = comp_dn;
-	while (cp < eom && (n = *cp++)) {
-		/*
-		 * check for indirection
-		 */
-		switch (n & INDIR_MASK) {
-		case 0:			/* normal case, n == len */
-			cp += n;
-			continue;
-		case INDIR_MASK:	/* indirection */
-			cp++;
-			break;
-		default:		/* illegal type */
-			return (-1);
-		}
-		break;
-	}
-	if (cp > eom)
-		return (-1);
-	return (cp - comp_dn);
-}
-
-static int
-mklower(ch)
-	register int ch;
-{
-	if (isascii(ch) && isupper(ch))
-		return (tolower(ch));
-	return (ch);
-}
-
-/*
- * Search for expanded name from a list of previously compressed names.
- * Return the offset from msg if found or -1.
- * dnptrs is the pointer to the first name on the list,
- * not the pointer to the start of the message.
- */
-static int
-dn_find(exp_dn, msg, dnptrs, lastdnptr)
-	u_char *exp_dn, *msg;
-	u_char **dnptrs, **lastdnptr;
-{
-	register u_char *dn, *cp, **cpp;
-	register int n;
-	u_char *sp;
-
-	for (cpp = dnptrs; cpp < lastdnptr; cpp++) {
-		dn = exp_dn;
-		sp = cp = *cpp;
-		while ( (n = *cp++) ) {
-			/*
-			 * check for indirection
-			 */
-			switch (n & INDIR_MASK) {
-			case 0:		/* normal case, n == len */
-				while (--n >= 0) {
-					if (*dn == '.')
-						goto next;
-					if (*dn == '\\')
-						dn++;
-					if (mklower(*dn++) != mklower(*cp++))
-						goto next;
-				}
-				if ((n = *dn++) == '\0' && *cp == '\0')
-					return (sp - msg);
-				if (n == '.')
-					continue;
-				goto next;
+__dn_skipname(const u_char *ptr, const u_char *eom) {
+	const u_char *saveptr = ptr;
 
-			case INDIR_MASK:	/* indirection */
-				cp = msg + (((n & 0x3f) << 8) | *cp);
-				break;
-
-			default:	/* illegal type */
-				return (-1);
-			}
-		}
-		if (*dn == '\0')
-			return (sp - msg);
-	next:	;
-	}
-	return (-1);
+	if (ns_name_skip(&ptr, eom) == -1)
+		return (-1);
+	return (ptr - saveptr);
 }
 
 /*
@@ -494,3 +283,640 @@ __putlong(l, msgp)
 {
 	PUTLONG(l, msgp);
 }
+
+/* ++ From BIND 8.1.1. ++ */
+/*
+ * Copyright (c) 1996 by Internet Software Consortium.
+ *
+ * Permission to use, copy, modify, and distribute this software for any
+ * purpose with or without fee is hereby granted, provided that the above
+ * copyright notice and this permission notice appear in all copies.
+ *
+ * THE SOFTWARE IS PROVIDED "AS IS" AND INTERNET SOFTWARE CONSORTIUM DISCLAIMS
+ * ALL WARRANTIES WITH REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES
+ * OF MERCHANTABILITY AND FITNESS. IN NO EVENT SHALL INTERNET SOFTWARE
+ * CONSORTIUM BE LIABLE FOR ANY SPECIAL, DIRECT, INDIRECT, OR CONSEQUENTIAL
+ * DAMAGES OR ANY DAMAGES WHATSOEVER RESULTING FROM LOSS OF USE, DATA OR
+ * PROFITS, WHETHER IN AN ACTION OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS
+ * ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS
+ * SOFTWARE.
+ */
+
+/*"Id: ns_name.c,v 1.1 1997/12/13 02:41:13 vixie Exp vixie"*/
+
+/*#include "port_before.h"*/
+
+/*#include <sys/types.h>*/
+
+/*#include <netinet/in.h>*/
+/*#include <arpa/nameser.h>*/
+
+/*#include <errno.h>*/
+/*#include <resolv.h>*/
+/*#include <string.h>*/
+
+/*#include "port_after.h"*/
+
+#define NS_CMPRSFLGS	0xc0	/* Flag bits indicating name compression. */
+#define NS_MAXCDNAME	255	/* maximum compressed domain name */
+
+/* Data. */
+
+static char		digits[] = "0123456789";
+
+/* Forward. */
+
+static int		special(int);
+static int		printable(int);
+static int		dn_find(const u_char *, const u_char *,
+				const u_char * const *,
+				const u_char * const *);
+
+/* Public. */
+
+/*
+ * ns_name_ntop(src, dst, dstsiz)
+ *	Convert an encoded domain name to printable ascii as per RFC1035.
+ * return:
+ *	Number of bytes written to buffer, or -1 (with errno set)
+ * notes:
+ *	The root is returned as "."
+ *	All other domains are returned in non absolute form
+ */
+static int
+ns_name_ntop(src, dst, dstsiz)
+	const u_char *src;
+	char *dst;
+	size_t dstsiz;
+{
+	const u_char *cp;
+	char *dn, *eom;
+	u_char c;
+	u_int n;
+
+	cp = src;
+	dn = dst;
+	eom = dst + dstsiz;
+
+	while ((n = *cp++) != 0) {
+		if ((n & NS_CMPRSFLGS) != 0) {
+			/* Some kind of compression pointer. */
+			errno = EMSGSIZE;
+			return (-1);
+		}
+		if (dn != dst) {
+			if (dn >= eom) {
+				errno = EMSGSIZE;
+				return (-1);
+			}
+			*dn++ = '.';
+		}
+		if (dn + n >= eom) {
+			errno = EMSGSIZE;
+			return (-1);
+		}
+		for ((void)NULL; n > 0; n--) {
+			c = *cp++;
+			if (special(c)) {
+				if (dn + 1 >= eom) {
+					errno = EMSGSIZE;
+					return (-1);
+				}
+				*dn++ = '\\';
+				*dn++ = (char)c;
+			} else if (!printable(c)) {
+				if (dn + 3 >= eom) {
+					errno = EMSGSIZE;
+					return (-1);
+				}
+				*dn++ = '\\';
+				*dn++ = digits[c / 100];
+				*dn++ = digits[(c % 100) / 10];
+				*dn++ = digits[c % 10];
+			} else {
+				if (dn >= eom) {
+					errno = EMSGSIZE;
+					return (-1);
+				}
+				*dn++ = (char)c;
+			}
+		}
+	}
+	if (dn == dst) {
+		if (dn >= eom) {
+			errno = EMSGSIZE;
+			return (-1);
+		}
+		*dn++ = '.';
+	}
+	if (dn >= eom) {
+		errno = EMSGSIZE;
+		return (-1);
+	}
+	*dn++ = '\0';
+	return (dn - dst);
+}
+
+/*
+ * ns_name_pton(src, dst, dstsiz)
+ *	Convert a ascii string into an encoded domain name as per RFC1035.
+ * return:
+ *	-1 if it fails
+ *	1 if string was fully qualified
+ *	0 is string was not fully qualified
+ * notes:
+ *	Enforces label and domain length limits.
+ */
+
+static int
+ns_name_pton(src, dst, dstsiz)
+	const char *src;
+	u_char *dst;
+	size_t dstsiz;
+{
+	u_char *label, *bp, *eom;
+	int c, n, escaped;
+	char *cp;
+
+	escaped = 0;
+	bp = dst;
+	eom = dst + dstsiz;
+	label = bp++;
+
+	while ((c = *src++) != 0) {
+		if (escaped) {
+			if ((cp = strchr(digits, c)) != NULL) {
+				n = (cp - digits) * 100;
+				if ((c = *src++) == 0 ||
+				    (cp = strchr(digits, c)) == NULL) {
+					errno = EMSGSIZE;
+					return (-1);
+				}
+				n += (cp - digits) * 10;
+				if ((c = *src++) == 0 ||
+				    (cp = strchr(digits, c)) == NULL) {
+					errno = EMSGSIZE;
+					return (-1);
+				}
+				n += (cp - digits);
+				if (n > 255) {
+					errno = EMSGSIZE;
+					return (-1);
+				}
+				c = n;
+			}
+			escaped = 0;
+		} else if (c == '\\') {
+			escaped = 1;
+			continue;
+		} else if (c == '.') {
+			c = (bp - label - 1);
+			if ((c & NS_CMPRSFLGS) != 0) {	/* Label too big. */
+				errno = EMSGSIZE;
+				return (-1);
+			}
+			if (label >= eom) {
+				errno = EMSGSIZE;
+				return (-1);
+			}
+			*label = c;
+			/* Fully qualified ? */
+			if (*src == '\0') {
+				if (c != 0) {
+					if (bp >= eom) {
+						errno = EMSGSIZE;
+						return (-1);
+					}
+					*bp++ = '\0';
+				}
+				if ((bp - dst) > MAXCDNAME) {
+					errno = EMSGSIZE;
+					return (-1);
+				}
+				return (1);
+			}
+			if (c == 0) {
+				errno = EMSGSIZE;
+				return (-1);
+			}
+			label = bp++;
+			continue;
+		}
+		if (bp >= eom) {
+			errno = EMSGSIZE;
+			return (-1);
+		}
+		*bp++ = (u_char)c;
+	}
+	c = (bp - label - 1);
+	if ((c & NS_CMPRSFLGS) != 0) {		/* Label too big. */
+		errno = EMSGSIZE;
+		return (-1);
+	}
+	if (label >= eom) {
+		errno = EMSGSIZE;
+		return (-1);
+	}
+	*label = c;
+	if (c != 0) {
+		if (bp >= eom) {
+			errno = EMSGSIZE;
+			return (-1);
+		}
+		*bp++ = 0;
+	}
+	if ((bp - dst) > MAXCDNAME) {	/* src too big */
+		errno = EMSGSIZE;
+		return (-1);
+	}
+	return (0);
+}
+
+/*
+ * ns_name_unpack(msg, eom, src, dst, dstsiz)
+ *	Unpack a domain name from a message, source may be compressed.
+ * return:
+ *	-1 if it fails, or consumed octets if it succeeds.
+ */
+static int
+ns_name_unpack(msg, eom, src, dst, dstsiz)
+	const u_char *msg;
+	const u_char *eom;
+	const u_char *src;
+	u_char *dst;
+	size_t dstsiz;
+{
+	const u_char *srcp, *dstlim;
+	u_char *dstp;
+	int n, c, len, checked;
+
+	len = -1;
+	checked = 0;
+	dstp = dst;
+	srcp = src;
+	dstlim = dst + dstsiz;
+	if (srcp < msg || srcp >= eom) {
+		errno = EMSGSIZE;
+		return (-1);
+	}
+	/* Fetch next label in domain name. */
+	while ((n = *srcp++) != 0) {
+		/* Check for indirection. */
+		switch (n & NS_CMPRSFLGS) {
+		case 0:
+			/* Limit checks. */
+			if (dstp + n + 1 >= dstlim || srcp + n >= eom) {
+				errno = EMSGSIZE;
+				return (-1);
+			}
+			checked += n + 1;
+			*dstp++ = n;
+			memcpy(dstp, srcp, n);
+			dstp += n;
+			srcp += n;
+			break;
+
+		case NS_CMPRSFLGS:
+			if (srcp >= eom) {
+				errno = EMSGSIZE;
+				return (-1);
+			}
+			if (len < 0)
+				len = srcp - src + 1;
+			srcp = msg + (((n & 0x3f) << 8) | (*srcp & 0xff));
+			if (srcp < msg || srcp >= eom) {  /* Out of range. */
+				errno = EMSGSIZE;
+				return (-1);
+			}
+			checked += 2;
+			/*
+			 * Check for loops in the compressed name;
+			 * if we've looked at the whole message,
+			 * there must be a loop.
+			 */
+			if (checked >= eom - msg) {
+				errno = EMSGSIZE;
+				return (-1);
+			}
+			break;
+
+		default:
+			errno = EMSGSIZE;
+			return (-1);			/* flag error */
+		}
+	}
+	*dstp = '\0';
+	if (len < 0)
+		len = srcp - src;
+	return (len);
+}
+
+/*
+ * ns_name_pack(src, dst, dstsiz, dnptrs, lastdnptr)
+ *	Pack domain name 'domain' into 'comp_dn'.
+ * return:
+ *	Size of the compressed name, or -1.
+ * notes:
+ *	'dnptrs' is an array of pointers to previous compressed names.
+ *	dnptrs[0] is a pointer to the beginning of the message. The array
+ *	ends with NULL.
+ *	'lastdnptr' is a pointer to the end of the array pointed to
+ *	by 'dnptrs'.
+ * Side effects:
+ *	The list of pointers in dnptrs is updated for labels inserted into
+ *	the message as we compress the name.  If 'dnptr' is NULL, we don't
+ *	try to compress names. If 'lastdnptr' is NULL, we don't update the
+ *	list.
+ */
+static int
+ns_name_pack(src, dst, dstsiz, dnptrs, lastdnptr)
+	const u_char *src;
+	u_char *dst;
+	int dstsiz;
+	const u_char **dnptrs;
+	const u_char **lastdnptr;
+{
+	u_char *dstp;
+	const u_char **cpp, **lpp, *eob, *msg;
+	const u_char *srcp;
+	int n, l;
+
+	srcp = src;
+	dstp = dst;
+	eob = dstp + dstsiz;
+	lpp = cpp = NULL;
+	if (dnptrs != NULL) {
+		if ((msg = *dnptrs++) != NULL) {
+			for (cpp = dnptrs; *cpp != NULL; cpp++)
+				(void)NULL;
+			lpp = cpp;	/* end of list to search */
+		}
+	} else
+		msg = NULL;
+
+	/* make sure the domain we are about to add is legal */
+	l = 0;
+	do {
+		n = *srcp;
+		if ((n & NS_CMPRSFLGS) != 0) {
+			errno = EMSGSIZE;
+			return (-1);
+		}
+		l += n + 1;
+		if (l > MAXCDNAME) {
+			errno = EMSGSIZE;
+			return (-1);
+		}
+		srcp += n + 1;
+	} while (n != 0);
+
+	srcp = src;
+	do {
+		/* Look to see if we can use pointers. */
+		n = *srcp;
+		if (n != 0 && msg != NULL) {
+			l = dn_find(srcp, msg, (const u_char * const *)dnptrs,
+				    (const u_char * const *)lpp);
+			if (l >= 0) {
+				if (dstp + 1 >= eob) {
+					errno = EMSGSIZE;
+					return (-1);
+				}
+				*dstp++ = (l >> 8) | NS_CMPRSFLGS;
+				*dstp++ = l % 256;
+				return (dstp - dst);
+			}
+			/* Not found, save it. */
+			if (lastdnptr != NULL && cpp < lastdnptr - 1 &&
+			    (dstp - msg) < 0x4000) {
+				*cpp++ = dstp;
+				*cpp = NULL;
+			}
+		}
+		/* copy label to buffer */
+		if (n & NS_CMPRSFLGS) {		/* Should not happen. */
+			errno = EMSGSIZE;
+			return (-1);
+		}
+		if (dstp + 1 + n >= eob) {
+			errno = EMSGSIZE;
+			return (-1);
+		}
+		memcpy(dstp, srcp, n + 1);
+		srcp += n + 1;
+		dstp += n + 1;
+	} while (n != 0);
+
+	if (dstp > eob) {
+		if (msg != NULL)
+			*lpp = NULL;
+		errno = EMSGSIZE;
+		return (-1);
+	} 
+	return (dstp - dst);
+}
+
+/*
+ * ns_name_uncompress(msg, eom, src, dst, dstsiz)
+ *	Expand compressed domain name to presentation format.
+ * return:
+ *	Number of bytes read out of `src', or -1 (with errno set).
+ * note:
+ *	Root domain returns as "." not "".
+ */
+static int
+ns_name_uncompress(msg, eom, src, dst, dstsiz)
+	const u_char *msg;
+	const u_char *eom;
+	const u_char *src;
+	char *dst;
+	size_t dstsiz;
+{
+	u_char tmp[NS_MAXCDNAME];
+	int n;
+	
+	if ((n = ns_name_unpack(msg, eom, src, tmp, sizeof tmp)) == -1)
+		return (-1);
+	if (ns_name_ntop(tmp, dst, dstsiz) == -1)
+		return (-1);
+	return (n);
+}
+
+/*
+ * ns_name_compress(src, dst, dstsiz, dnptrs, lastdnptr)
+ *	Compress a domain name into wire format, using compression pointers.
+ * return:
+ *	Number of bytes consumed in `dst' or -1 (with errno set).
+ * notes:
+ *	'dnptrs' is an array of pointers to previous compressed names.
+ *	dnptrs[0] is a pointer to the beginning of the message.
+ *	The list ends with NULL.  'lastdnptr' is a pointer to the end of the
+ *	array pointed to by 'dnptrs'. Side effect is to update the list of
+ *	pointers for labels inserted into the message as we compress the name.
+ *	If 'dnptr' is NULL, we don't try to compress names. If 'lastdnptr'
+ *	is NULL, we don't update the list.
+ */
+static int
+ns_name_compress(src, dst, dstsiz, dnptrs, lastdnptr)
+	const char *src;
+	u_char *dst;
+	size_t dstsiz;
+	const u_char **dnptrs;
+	const u_char **lastdnptr;
+{
+	u_char tmp[NS_MAXCDNAME];
+
+	if (ns_name_pton(src, tmp, sizeof tmp) == -1)
+		return (-1);
+	return (ns_name_pack(tmp, dst, dstsiz, dnptrs, lastdnptr));
+}
+
+/*
+ * ns_name_skip(ptrptr, eom)
+ *	Advance *ptrptr to skip over the compressed name it points at.
+ * return:
+ *	0 on success, -1 (with errno set) on failure.
+ */
+static int
+ns_name_skip(ptrptr, eom)
+	const u_char **ptrptr;
+	const u_char *eom;
+{
+	const u_char *cp;
+	u_int n;
+
+	cp = *ptrptr;
+	while (cp < eom && (n = *cp++) != 0) {
+		/* Check for indirection. */
+		switch (n & NS_CMPRSFLGS) {
+		case 0:			/* normal case, n == len */
+			cp += n;
+			continue;
+		case NS_CMPRSFLGS:	/* indirection */
+			cp++;
+			break;
+		default:		/* illegal type */
+			errno = EMSGSIZE;
+			return (-1);
+		}
+		break;
+	}
+	if (cp > eom) {
+		errno = EMSGSIZE;
+		return (-1);
+	}
+	*ptrptr = cp;
+	return (0);
+}
+
+/* Private. */
+
+/*
+ * special(ch)
+ *	Thinking in noninternationalized USASCII (per the DNS spec),
+ *	is this characted special ("in need of quoting") ?
+ * return:
+ *	boolean.
+ */
+static int
+special(ch)
+	int ch;
+{
+	switch (ch) {
+	case 0x22: /* '"' */
+	case 0x2E: /* '.' */
+	case 0x3B: /* ';' */
+	case 0x5C: /* '\\' */
+	/* Special modifiers in zone files. */
+	case 0x40: /* '@' */
+	case 0x24: /* '$' */
+		return (1);
+	default:
+		return (0);
+	}
+}
+
+/*
+ * printable(ch)
+ *	Thinking in noninternationalized USASCII (per the DNS spec),
+ *	is this character visible and not a space when printed ?
+ * return:
+ *	boolean.
+ */
+static int
+printable(ch)
+	int ch;
+{
+	return (ch > 0x20 && ch < 0x7f);
+}
+
+/*
+ *	Thinking in noninternationalized USASCII (per the DNS spec),
+ *	convert this character to lower case if it's upper case.
+ */
+static int
+mklower(ch)
+	int ch;
+{
+	if (ch >= 0x41 && ch <= 0x5A)
+		return (ch + 0x20);
+	return (ch);
+}
+
+/*
+ * dn_find(domain, msg, dnptrs, lastdnptr)
+ *	Search for the counted-label name in an array of compressed names.
+ * return:
+ *	offset from msg if found, or -1.
+ * notes:
+ *	dnptrs is the pointer to the first name on the list,
+ *	not the pointer to the start of the message.
+ */
+static int
+dn_find(domain, msg, dnptrs, lastdnptr)
+	const u_char *domain;
+	const u_char *msg;
+	const u_char * const *dnptrs;
+	const u_char * const *lastdnptr;
+{
+	const u_char *dn, *cp, *sp;
+	const u_char * const *cpp;
+	u_int n;
+
+	for (cpp = dnptrs; cpp < lastdnptr; cpp++) {
+		dn = domain;
+		sp = cp = *cpp;
+		while ((n = *cp++) != 0) {
+			/*
+			 * check for indirection
+			 */
+			switch (n & NS_CMPRSFLGS) {
+			case 0:			/* normal case, n == len */
+				if (n != *dn++)
+					goto next;
+				for ((void)NULL; n > 0; n--)
+					if (mklower(*dn++) != mklower(*cp++))
+						goto next;
+				/* Is next root for both ? */
+				if (*dn == '\0' && *cp == '\0')
+					return (sp - msg);
+				if (*dn)
+					continue;
+				goto next;
+
+			case NS_CMPRSFLGS:	/* indirection */
+				cp = msg + (((n & 0x3f) << 8) | *cp);
+				break;
+
+			default:	/* illegal type */
+				errno = EMSGSIZE;
+				return (-1);
+			}
+		}
+ next: ;
+	}
+	errno = ENOENT;
+	return (-1);
+}
+
+/* -- From BIND 8.1.1. -- */
diff --git a/lib/libc/net/res_send.c b/lib/libc/net/res_send.c
index 70a5c17..b8acbfd 100644
--- a/lib/libc/net/res_send.c
+++ b/lib/libc/net/res_send.c
@@ -55,8 +55,8 @@
 
 #if defined(LIBC_SCCS) && !defined(lint)
 static char sccsid[] = "@(#)res_send.c	8.1 (Berkeley) 6/4/93";
-static char orig_rcsid[] = "From: Id: res_send.c,v 8.13 1997/06/01 20:34:37 vixie Exp";
-static char rcsid[] = "$Id: res_send.c,v 1.19 1997/09/14 09:44:34 peter Exp $";
+static char orig_rcsid[] = "From: Id: res_send.c,v 8.14 1998/04/07 04:59:46 vixie Exp $";
+static char rcsid[] = "$Id: res_send.c,v 1.20 1997/09/16 06:03:54 peter Exp $";
 #endif /* LIBC_SCCS and not lint */
 
 /*
@@ -191,6 +191,8 @@ res_isourserver(inp)
 /* int
  * res_nameinquery(name, type, class, buf, eom)
  *	look for (name,type,class) in the query section of packet (buf,eom)
+ * requires:
+ *	buf + HFIXESDZ <= eom
  * returns:
  *	-1 : format error
  *	0  : not found
@@ -215,6 +217,8 @@ res_nameinquery(name, type, class, buf, eom)
 		if (n < 0)
 			return (-1);
 		cp += n;
+		if (cp + 2 * INT16SZ > eom)
+			return (-1);
 		ttype = _getshort(cp); cp += INT16SZ;
 		tclass = _getshort(cp); cp += INT16SZ;
 		if (ttype == type &&
@@ -244,6 +248,9 @@ res_queriesmatch(buf1, eom1, buf2, eom2)
 	register const u_char *cp = buf1 + HFIXEDSZ;
 	int qdcount = ntohs(((HEADER*)buf1)->qdcount);
 
+	if (buf1 + HFIXEDSZ > eom1 || buf2 + HFIXEDSZ > eom2)
+		return (-1);
+
 	if (qdcount != ntohs(((HEADER*)buf2)->qdcount))
 		return (0);
 	while (qdcount-- > 0) {
@@ -254,6 +261,8 @@ res_queriesmatch(buf1, eom1, buf2, eom2)
 		if (n < 0)
 			return (-1);
 		cp += n;
+		if (cp + 2 * INT16SZ > eom1)
+			return (-1);
 		ttype = _getshort(cp);	cp += INT16SZ;
 		tclass = _getshort(cp); cp += INT16SZ;
 		if (!res_nameinquery(tname, ttype, tclass, buf2, eom2))
@@ -279,6 +288,10 @@ res_send(buf, buflen, ans, anssiz)
 		/* errno should have been set by res_init() in this case. */
 		return (-1);
 	}
+	if (anssiz < HFIXEDSZ) {
+		errno = EINVAL;
+		return (-1);
+	}
 	DprintQ((_res.options & RES_DEBUG) || (_res.pfcode & RES_PRF_QUERY),
 		(stdout, ";; res_send()\n"), buf, buflen);
 	v_circuit = (_res.options & RES_USEVC) || buflen > PACKETSZ;
@@ -423,6 +436,17 @@ read_len:
 				len = anssiz;
 			} else
 				len = resplen;
+			if (len < HFIXEDSZ) {
+				/*
+				 * Undersized message.
+				 */
+				Dprint(_res.options & RES_DEBUG,
+				       (stdout, ";; undersized: %d\n", len));
+				terrno = EMSGSIZE;
+				badns |= (1 << ns);
+				res_close();
+				goto next_ns;
+			}
 			cp = ans;
 			while (len != 0 &&
 			       (n = read(s, (char *)cp, (int)len)) > 0) {
@@ -590,6 +614,11 @@ read_len:
 					timeout.tv_sec = 1;
 			}
     wait:
+			if (s < 0) {
+				Perror(stderr, "s out-of-bounds", EMFILE);
+				res_close();
+				goto next_ns;
+			}
 			if (use_poll) {
 				struct sigaction sa, osa;
 				int sigsys_installed = 0;
@@ -662,6 +691,18 @@ read_len:
 				goto next_ns;
 			}
 			gotsomewhere = 1;
+			if (resplen < HFIXEDSZ) {
+				/*
+				 * Undersized message.
+				 */
+				Dprint(_res.options & RES_DEBUG,
+				       (stdout, ";; undersized: %d\n",
+					resplen));
+				terrno = EMSGSIZE;
+				badns |= (1 << ns);
+				res_close();
+				goto next_ns;
+			}
 			if (hp->id != anhp->id) {
 				/*
 				 * response from old query, ignore it.