From 99fed74ba7866f385637fb124d2b58eb87058f7c Mon Sep 17 00:00:00 2001
From: ume <ume@FreeBSD.org>
Date: Tue, 12 Aug 2014 13:09:32 +0000
Subject: Fix broken pointer overflow check ns_name_unpack()

Many compilers may optimize away the overflow check `msg + l < msg',
where `msg' is a pointer and `l' is an integer, because pointer
overflow is undefined behavior in C.

Use a safe precondition test `l >= eom - msg' instead.

Reference:
https://android-review.googlesource.com/#/c/50570/

Requested by:	pfg
Obtained from:	NetBSD (CVS rev. 1.10)
---
 lib/libc/nameser/ns_name.c | 5 +++--
 1 file changed, 3 insertions(+), 2 deletions(-)

(limited to 'lib')

diff --git a/lib/libc/nameser/ns_name.c b/lib/libc/nameser/ns_name.c
index 1f37406..5b8a8cb 100644
--- a/lib/libc/nameser/ns_name.c
+++ b/lib/libc/nameser/ns_name.c
@@ -463,11 +463,12 @@ ns_name_unpack2(const u_char *msg, const u_char *eom, const u_char *src,
 			}
 			if (len < 0)
 				len = srcp - src + 1;
-			srcp = msg + (((n & 0x3f) << 8) | (*srcp & 0xff));
-			if (srcp < msg || srcp >= eom) {  /*%< Out of range. */
+			l = ((n & 0x3f) << 8) | (*srcp & 0xff);
+			if (l >= eom - msg) {  /*%< Out of range. */
 				errno = EMSGSIZE;
 				return (-1);
 			}
+			srcp = msg + l;
 			checked += 2;
 			/*
 			 * Check for loops in the compressed name;
-- 
cgit v1.1