Avoid remote buffer overflow on hostbuf[].

Submitted by: joost Pol <joost@pine.nl>

2 files changed, 4 insertions, 1 deletions

diff --git a/lib/libc/net/gethostbydns.c b/lib/libc/net/gethostbydns.c
index 47ca575..2862236 100644
--- a/lib/libc/net/gethostbydns.c
+++ b/lib/libc/net/gethostbydns.c
@@ -397,6 +397,7 @@ gethostanswer(answer, anslen, qname, qtype)
 			}
 
 			bp += sizeof(align) - ((u_long)bp % sizeof(align));
+			buflen -= sizeof(align) - ((u_long)bp % sizeof(align));
 
 			if (bp + n >= &hostbuf[sizeof hostbuf]) {
 				dprintf("size (%d) too big\n", n);
diff --git a/lib/libc/net/name6.c b/lib/libc/net/name6.c
index 4a6d518..51edfd5 100644
--- a/lib/libc/net/name6.c
+++ b/lib/libc/net/name6.c
@@ -997,7 +997,7 @@ getanswer(answer, anslen, qname, qtype, template, errp)
 	const u_char *cp;
 	int n;
 	const u_char *eom, *erdata;
-	char *bp, **ap, **hap;
+	char *bp, **ap, **hap, *obp;
 	int type, class, buflen, ancount, qdcount;
 	int haveanswer, had_error;
 	char tbuf[MAXDNAME];
@@ -1211,7 +1211,9 @@ getanswer(answer, anslen, qname, qtype, template, errp)
 				bp += nn;
 				buflen -= nn;
 			}
+			obp = bp; /* ALIGN rounds up */
 			bp = (char *)ALIGN(bp);
+			buflen -= (bp - obp);
 
 			DNS_FATAL(bp + n < &hostbuf[sizeof hostbuf]);
 			DNS_ASSERT(hap < &h_addr_ptrs[MAXADDRS-1]);