summaryrefslogtreecommitdiffstats
path: root/lib
diff options
context:
space:
mode:
authorume <ume@FreeBSD.org>2014-08-12 13:09:32 +0000
committerume <ume@FreeBSD.org>2014-08-12 13:09:32 +0000
commit99fed74ba7866f385637fb124d2b58eb87058f7c (patch)
treef3836fb933c8a3c9ac468f881c45286d7fafc518 /lib
parent034eb30570a2d8b61462db5e72cb8e3f5c762392 (diff)
downloadFreeBSD-src-99fed74ba7866f385637fb124d2b58eb87058f7c.zip
FreeBSD-src-99fed74ba7866f385637fb124d2b58eb87058f7c.tar.gz
Fix broken pointer overflow check ns_name_unpack()
Many compilers may optimize away the overflow check `msg + l < msg', where `msg' is a pointer and `l' is an integer, because pointer overflow is undefined behavior in C. Use a safe precondition test `l >= eom - msg' instead. Reference: https://android-review.googlesource.com/#/c/50570/ Requested by: pfg Obtained from: NetBSD (CVS rev. 1.10)
Diffstat (limited to 'lib')
-rw-r--r--lib/libc/nameser/ns_name.c5
1 files changed, 3 insertions, 2 deletions
diff --git a/lib/libc/nameser/ns_name.c b/lib/libc/nameser/ns_name.c
index 1f37406..5b8a8cb 100644
--- a/lib/libc/nameser/ns_name.c
+++ b/lib/libc/nameser/ns_name.c
@@ -463,11 +463,12 @@ ns_name_unpack2(const u_char *msg, const u_char *eom, const u_char *src,
}
if (len < 0)
len = srcp - src + 1;
- srcp = msg + (((n & 0x3f) << 8) | (*srcp & 0xff));
- if (srcp < msg || srcp >= eom) { /*%< Out of range. */
+ l = ((n & 0x3f) << 8) | (*srcp & 0xff);
+ if (l >= eom - msg) { /*%< Out of range. */
errno = EMSGSIZE;
return (-1);
}
+ srcp = msg + l;
checked += 2;
/*
* Check for loops in the compressed name;
OpenPOWER on IntegriCloud