diff options
Diffstat (limited to 'contrib/bind/named/ns_req.c')
-rw-r--r-- | contrib/bind/named/ns_req.c | 56 |
1 files changed, 47 insertions, 9 deletions
diff --git a/contrib/bind/named/ns_req.c b/contrib/bind/named/ns_req.c index 0ed1296..bd59bab 100644 --- a/contrib/bind/named/ns_req.c +++ b/contrib/bind/named/ns_req.c @@ -1,6 +1,6 @@ #if !defined(lint) && !defined(SABER) static char sccsid[] = "@(#)ns_req.c 4.47 (Berkeley) 7/1/91"; -static char rcsid[] = "$Id: ns_req.c,v 8.28 1997/06/01 20:34:34 vixie Exp $"; +static char rcsid[] = "$Id: ns_req.c,v 8.29 1998/04/07 04:59:45 vixie Exp $"; #endif /* not lint */ /* @@ -328,6 +328,11 @@ req_notify(hp, cpp, eom, msg, from) hp->rcode = FORMERR; return (Finish); } + if (*cpp + 2 * INT16SZ > eom) { + dprintf(1, (ddt, "FORMERR notify too short")); + hp->rcode = FORMERR; + return (Finish); + } *cpp += n; GETSHORT(type, *cpp); GETSHORT(class, *cpp); @@ -461,13 +466,13 @@ req_query(hp, cpp, eom, qsp, buflenp, msglenp, msg, dfd, from) return (Finish); } *cpp += n; - GETSHORT(type, *cpp); - GETSHORT(class, *cpp); - if (*cpp > eom) { + if (*cpp + 2 * INT16SZ > eom) { dprintf(1, (ddt, "FORMERR Query message length short\n")); hp->rcode = FORMERR; return (Finish); } + GETSHORT(type, *cpp); + GETSHORT(class, *cpp); if (*cpp < eom) { dprintf(6, (ddt,"message length > received message\n")); *msglenp = *cpp - msg; @@ -990,6 +995,11 @@ req_iquery(hp, cpp, eom, buflenp, msg, from) return (Finish); } *cpp += n; + if (*cpp + 3 * INT16SZ + INT32SZ > eom) { + dprintf(1, (ddt, "FORMERR IQuery message too short")); + hp->rcode = FORMERR; + return (Finish); + } GETSHORT(type, *cpp); GETSHORT(class, *cpp); *cpp += INT32SZ; /* ttl */ @@ -1007,7 +1017,7 @@ req_iquery(hp, cpp, eom, buflenp, msg, from) switch (type) { case T_A: #ifndef INVQ - if (!fake_iquery) + if (!fake_iquery || dlen != INT32SZ) return (Refuse); #endif #ifdef INVQ @@ -1021,7 +1031,10 @@ req_iquery(hp, cpp, eom, buflenp, msg, from) dprintf(1, (ddt, "req: IQuery class %d type %d\n", class, type)); fname = (char *)msg + HFIXEDSZ; - bcopy(fname, anbuf, alen = (char *)*cpp - fname); + alen = (char *)*cpp - fname; + if ((size_t)alen > sizeof anbuf) + return (Refuse); + bcopy(fname, anbuf, alen); data = anbuf + alen - dlen; *cpp = (u_char *)fname; *buflenp -= HFIXEDSZ; @@ -1068,6 +1081,10 @@ req_iquery(hp, cpp, eom, buflenp, msg, from) return (Finish); } *cpp += n; + if (*cpp + 2 * INT16SZ > dnbuf + *buflenp) { + hp->tc = 1; + return (Finish); + } PUTSHORT((u_int16_t)dp->d_type, *cpp); PUTSHORT((u_int16_t)dp->d_class, *cpp); *buflenp -= n; @@ -1256,6 +1273,8 @@ make_rr(name, dp, buf, buflen, doadd) } buflen -= RRFIXEDSZ; + if (buflen < 0) + return (-1); #if defined(RETURNSOA) && defined(NCACHE) if (dp->d_rcode) { name = (char *)dp->d_data; @@ -1269,6 +1288,8 @@ make_rr(name, dp, buf, buflen, doadd) return (-1); cp = buf + n; buflen -= n; + if (buflen < 0) + return (-1); PUTSHORT((u_int16_t)type, cp); PUTSHORT((u_int16_t)dp->d_class, cp); PUTLONG(ttl, cp); @@ -1308,6 +1329,8 @@ make_rr(name, dp, buf, buflen, doadd) return (-1); cp += n; buflen -= type == T_SOA ? n + 5 * INT32SZ : n; + if (buflen < 0) + return (-1); cp1 += strlen((char *)cp1) + 1; n = dn_comp((char *)cp1, cp, buflen, dnptrs, edp); if (n < 0) @@ -1326,10 +1349,10 @@ make_rr(name, dp, buf, buflen, doadd) /* cp1 == our data/ cp == data of RR */ cp1 = dp->d_data; - if ((buflen -= INT16SZ) < 0) - return (-1); - /* copy order */ + buflen -= INT16SZ; + if (buflen < 0) + return (-1); bcopy(cp1, cp, INT16SZ); cp += INT16SZ; cp1 += INT16SZ; @@ -1337,6 +1360,9 @@ make_rr(name, dp, buf, buflen, doadd) dprintf(1, (ddt, "current size n = %u\n", n)); /* copy preference */ + buflen -= INT16SZ; + if (buflen < 0) + return (-1); bcopy(cp1, cp, INT16SZ); cp += INT16SZ; cp1 += INT16SZ; @@ -1345,6 +1371,9 @@ make_rr(name, dp, buf, buflen, doadd) /* Flags */ n = *cp1++; + buflen -= n + 1; + if (buflen < 0) + return (-1); dprintf(1, (ddt, "size of n at flags = %d\n", n)); *cp++ = n; bcopy(cp1,cp,n); @@ -1355,6 +1384,9 @@ make_rr(name, dp, buf, buflen, doadd) /* Service */ n = *cp1++; + buflen -= n + 1; + if (buflen < 0) + return (-1); *cp++ = n; bcopy(cp1,cp,n); cp += n; @@ -1364,6 +1396,9 @@ make_rr(name, dp, buf, buflen, doadd) /* Regexp */ n = *cp1++; + buflen -= n + 1; + if (buflen < 0) + return (-1); *cp++ = n; bcopy(cp1,cp,n); cp += n; @@ -1402,6 +1437,9 @@ make_rr(name, dp, buf, buflen, doadd) cp1 += INT16SZ; if (type == T_SRV) { + buflen -= INT16SZ*2; + if (buflen < 0) + return (-1); bcopy(cp1, cp, INT16SZ*2); cp += INT16SZ*2; cp1 += INT16SZ*2; |