diff options
author | imp <imp@FreeBSD.org> | 2002-06-26 06:04:46 +0000 |
---|---|---|
committer | imp <imp@FreeBSD.org> | 2002-06-26 06:04:46 +0000 |
commit | 2bbf857de4c4b712c707b817caa739ddfdd01207 (patch) | |
tree | 792798242de1764381a796b9f104b23f568ea708 /lib/libc | |
parent | e5bf02e8eba89885eb978ad690cd5ec851ed78c4 (diff) | |
download | FreeBSD-src-2bbf857de4c4b712c707b817caa739ddfdd01207.zip FreeBSD-src-2bbf857de4c4b712c707b817caa739ddfdd01207.tar.gz |
Avoid remote buffer overflow on hostbuf[].
Submitted by: joost Pol <joost@pine.nl>
Diffstat (limited to 'lib/libc')
-rw-r--r-- | lib/libc/net/gethostbydns.c | 1 | ||||
-rw-r--r-- | lib/libc/net/name6.c | 4 |
2 files changed, 4 insertions, 1 deletions
diff --git a/lib/libc/net/gethostbydns.c b/lib/libc/net/gethostbydns.c index 47ca575..2862236 100644 --- a/lib/libc/net/gethostbydns.c +++ b/lib/libc/net/gethostbydns.c @@ -397,6 +397,7 @@ gethostanswer(answer, anslen, qname, qtype) } bp += sizeof(align) - ((u_long)bp % sizeof(align)); + buflen -= sizeof(align) - ((u_long)bp % sizeof(align)); if (bp + n >= &hostbuf[sizeof hostbuf]) { dprintf("size (%d) too big\n", n); diff --git a/lib/libc/net/name6.c b/lib/libc/net/name6.c index 4a6d518..51edfd5 100644 --- a/lib/libc/net/name6.c +++ b/lib/libc/net/name6.c @@ -997,7 +997,7 @@ getanswer(answer, anslen, qname, qtype, template, errp) const u_char *cp; int n; const u_char *eom, *erdata; - char *bp, **ap, **hap; + char *bp, **ap, **hap, *obp; int type, class, buflen, ancount, qdcount; int haveanswer, had_error; char tbuf[MAXDNAME]; @@ -1211,7 +1211,9 @@ getanswer(answer, anslen, qname, qtype, template, errp) bp += nn; buflen -= nn; } + obp = bp; /* ALIGN rounds up */ bp = (char *)ALIGN(bp); + buflen -= (bp - obp); DNS_FATAL(bp + n < &hostbuf[sizeof hostbuf]); DNS_ASSERT(hap < &h_addr_ptrs[MAXADDRS-1]); |