summaryrefslogtreecommitdiffstats
path: root/contrib/bind/named/ns_req.c
diff options
context:
space:
mode:
Diffstat (limited to 'contrib/bind/named/ns_req.c')
-rw-r--r--contrib/bind/named/ns_req.c56
1 files changed, 47 insertions, 9 deletions
diff --git a/contrib/bind/named/ns_req.c b/contrib/bind/named/ns_req.c
index 0ed1296..bd59bab 100644
--- a/contrib/bind/named/ns_req.c
+++ b/contrib/bind/named/ns_req.c
@@ -1,6 +1,6 @@
#if !defined(lint) && !defined(SABER)
static char sccsid[] = "@(#)ns_req.c 4.47 (Berkeley) 7/1/91";
-static char rcsid[] = "$Id: ns_req.c,v 8.28 1997/06/01 20:34:34 vixie Exp $";
+static char rcsid[] = "$Id: ns_req.c,v 8.29 1998/04/07 04:59:45 vixie Exp $";
#endif /* not lint */
/*
@@ -328,6 +328,11 @@ req_notify(hp, cpp, eom, msg, from)
hp->rcode = FORMERR;
return (Finish);
}
+ if (*cpp + 2 * INT16SZ > eom) {
+ dprintf(1, (ddt, "FORMERR notify too short"));
+ hp->rcode = FORMERR;
+ return (Finish);
+ }
*cpp += n;
GETSHORT(type, *cpp);
GETSHORT(class, *cpp);
@@ -461,13 +466,13 @@ req_query(hp, cpp, eom, qsp, buflenp, msglenp, msg, dfd, from)
return (Finish);
}
*cpp += n;
- GETSHORT(type, *cpp);
- GETSHORT(class, *cpp);
- if (*cpp > eom) {
+ if (*cpp + 2 * INT16SZ > eom) {
dprintf(1, (ddt, "FORMERR Query message length short\n"));
hp->rcode = FORMERR;
return (Finish);
}
+ GETSHORT(type, *cpp);
+ GETSHORT(class, *cpp);
if (*cpp < eom) {
dprintf(6, (ddt,"message length > received message\n"));
*msglenp = *cpp - msg;
@@ -990,6 +995,11 @@ req_iquery(hp, cpp, eom, buflenp, msg, from)
return (Finish);
}
*cpp += n;
+ if (*cpp + 3 * INT16SZ + INT32SZ > eom) {
+ dprintf(1, (ddt, "FORMERR IQuery message too short"));
+ hp->rcode = FORMERR;
+ return (Finish);
+ }
GETSHORT(type, *cpp);
GETSHORT(class, *cpp);
*cpp += INT32SZ; /* ttl */
@@ -1007,7 +1017,7 @@ req_iquery(hp, cpp, eom, buflenp, msg, from)
switch (type) {
case T_A:
#ifndef INVQ
- if (!fake_iquery)
+ if (!fake_iquery || dlen != INT32SZ)
return (Refuse);
#endif
#ifdef INVQ
@@ -1021,7 +1031,10 @@ req_iquery(hp, cpp, eom, buflenp, msg, from)
dprintf(1, (ddt, "req: IQuery class %d type %d\n", class, type));
fname = (char *)msg + HFIXEDSZ;
- bcopy(fname, anbuf, alen = (char *)*cpp - fname);
+ alen = (char *)*cpp - fname;
+ if ((size_t)alen > sizeof anbuf)
+ return (Refuse);
+ bcopy(fname, anbuf, alen);
data = anbuf + alen - dlen;
*cpp = (u_char *)fname;
*buflenp -= HFIXEDSZ;
@@ -1068,6 +1081,10 @@ req_iquery(hp, cpp, eom, buflenp, msg, from)
return (Finish);
}
*cpp += n;
+ if (*cpp + 2 * INT16SZ > dnbuf + *buflenp) {
+ hp->tc = 1;
+ return (Finish);
+ }
PUTSHORT((u_int16_t)dp->d_type, *cpp);
PUTSHORT((u_int16_t)dp->d_class, *cpp);
*buflenp -= n;
@@ -1256,6 +1273,8 @@ make_rr(name, dp, buf, buflen, doadd)
}
buflen -= RRFIXEDSZ;
+ if (buflen < 0)
+ return (-1);
#if defined(RETURNSOA) && defined(NCACHE)
if (dp->d_rcode) {
name = (char *)dp->d_data;
@@ -1269,6 +1288,8 @@ make_rr(name, dp, buf, buflen, doadd)
return (-1);
cp = buf + n;
buflen -= n;
+ if (buflen < 0)
+ return (-1);
PUTSHORT((u_int16_t)type, cp);
PUTSHORT((u_int16_t)dp->d_class, cp);
PUTLONG(ttl, cp);
@@ -1308,6 +1329,8 @@ make_rr(name, dp, buf, buflen, doadd)
return (-1);
cp += n;
buflen -= type == T_SOA ? n + 5 * INT32SZ : n;
+ if (buflen < 0)
+ return (-1);
cp1 += strlen((char *)cp1) + 1;
n = dn_comp((char *)cp1, cp, buflen, dnptrs, edp);
if (n < 0)
@@ -1326,10 +1349,10 @@ make_rr(name, dp, buf, buflen, doadd)
/* cp1 == our data/ cp == data of RR */
cp1 = dp->d_data;
- if ((buflen -= INT16SZ) < 0)
- return (-1);
-
/* copy order */
+ buflen -= INT16SZ;
+ if (buflen < 0)
+ return (-1);
bcopy(cp1, cp, INT16SZ);
cp += INT16SZ;
cp1 += INT16SZ;
@@ -1337,6 +1360,9 @@ make_rr(name, dp, buf, buflen, doadd)
dprintf(1, (ddt, "current size n = %u\n", n));
/* copy preference */
+ buflen -= INT16SZ;
+ if (buflen < 0)
+ return (-1);
bcopy(cp1, cp, INT16SZ);
cp += INT16SZ;
cp1 += INT16SZ;
@@ -1345,6 +1371,9 @@ make_rr(name, dp, buf, buflen, doadd)
/* Flags */
n = *cp1++;
+ buflen -= n + 1;
+ if (buflen < 0)
+ return (-1);
dprintf(1, (ddt, "size of n at flags = %d\n", n));
*cp++ = n;
bcopy(cp1,cp,n);
@@ -1355,6 +1384,9 @@ make_rr(name, dp, buf, buflen, doadd)
/* Service */
n = *cp1++;
+ buflen -= n + 1;
+ if (buflen < 0)
+ return (-1);
*cp++ = n;
bcopy(cp1,cp,n);
cp += n;
@@ -1364,6 +1396,9 @@ make_rr(name, dp, buf, buflen, doadd)
/* Regexp */
n = *cp1++;
+ buflen -= n + 1;
+ if (buflen < 0)
+ return (-1);
*cp++ = n;
bcopy(cp1,cp,n);
cp += n;
@@ -1402,6 +1437,9 @@ make_rr(name, dp, buf, buflen, doadd)
cp1 += INT16SZ;
if (type == T_SRV) {
+ buflen -= INT16SZ*2;
+ if (buflen < 0)
+ return (-1);
bcopy(cp1, cp, INT16SZ*2);
cp += INT16SZ*2;
cp1 += INT16SZ*2;
OpenPOWER on IntegriCloud