diff options
| author | ume <ume@FreeBSD.org> | 2014-08-12 13:09:32 +0000 |
|---|---|---|
| committer | ume <ume@FreeBSD.org> | 2014-08-12 13:09:32 +0000 |
| commit | 99fed74ba7866f385637fb124d2b58eb87058f7c (patch) | |
| tree | f3836fb933c8a3c9ac468f881c45286d7fafc518 /lib/libc | |
| parent | 034eb30570a2d8b61462db5e72cb8e3f5c762392 (diff) | |
| download | FreeBSD-src-99fed74ba7866f385637fb124d2b58eb87058f7c.zip FreeBSD-src-99fed74ba7866f385637fb124d2b58eb87058f7c.tar.gz | |
Fix broken pointer overflow check ns_name_unpack()
Many compilers may optimize away the overflow check `msg + l < msg',
where `msg' is a pointer and `l' is an integer, because pointer
overflow is undefined behavior in C.
Use a safe precondition test `l >= eom - msg' instead.
Reference:
https://android-review.googlesource.com/#/c/50570/
Requested by: pfg
Obtained from: NetBSD (CVS rev. 1.10)
Diffstat (limited to 'lib/libc')
| -rw-r--r-- | lib/libc/nameser/ns_name.c | 5 |
1 files changed, 3 insertions, 2 deletions
diff --git a/lib/libc/nameser/ns_name.c b/lib/libc/nameser/ns_name.c index 1f37406..5b8a8cb 100644 --- a/lib/libc/nameser/ns_name.c +++ b/lib/libc/nameser/ns_name.c @@ -463,11 +463,12 @@ ns_name_unpack2(const u_char *msg, const u_char *eom, const u_char *src, } if (len < 0) len = srcp - src + 1; - srcp = msg + (((n & 0x3f) << 8) | (*srcp & 0xff)); - if (srcp < msg || srcp >= eom) { /*%< Out of range. */ + l = ((n & 0x3f) << 8) | (*srcp & 0xff); + if (l >= eom - msg) { /*%< Out of range. */ errno = EMSGSIZE; return (-1); } + srcp = msg + l; checked += 2; /* * Check for loops in the compressed name; |
