diff options
author | Ulrich Drepper <drepper@redhat.com> | 1998-05-29 10:21:16 +0000 |
---|---|---|
committer | Ulrich Drepper <drepper@redhat.com> | 1998-05-29 10:21:16 +0000 |
commit | 66715f834cb1f2f5c3742e94f73bd630ea4b14eb (patch) | |
tree | ddf10eb9dab578cbe895b7bf351584d47f64a2fc /resolv/gethnamaddr.c | |
parent | f962d792472c45c9bccdc6b0697ad3d6350e9270 (diff) | |
download | glibc-66715f834cb1f2f5c3742e94f73bd630ea4b14eb.tar.gz |
Update.
1998-05-28 00:53 Zack Weinberg <zack@rabi.phys.columbia.edu>
* glibcbug.in: Send to bugs@gnu or libc-alpha@cygnus depending
on whether this is a stable release or not (keeps snapshot bug
reports out of the database).
* include/libc-symbols.h: Use __ASSEMBLER__ test macro not ASSEMBLER.
* sysdeps/arm/sysdep.h: Likewise.
* sysdeps/i386/sysdep.h: Likewise.
* sysdeps/m68k/sysdep.h: Likewise.
* sysdeps/mach/mips/sysdep.h: Likewise.
* sysdeps/mach/sys/reboot.h: Likewise.
* sysdeps/mach/sysdep.h: Likewise.
* sysdeps/unix/alpha/sysdep.h: Likewise.
* sysdeps/unix/bsd/hp/m68k/sysdep.h: Likewise.
* sysdeps/unix/bsd/osf/alpha/sysdep.h: Likewise.
* sysdeps/unix/bsd/sequent/i386/sysdep.h: Likewise.
* sysdeps/unix/bsd/sony/newsos/m68k/sysdep.h: Likewise.
* sysdeps/unix/bsd/sun/m68k/sysdep.h: Likewise.
* sysdeps/unix/bsd/vax/sysdep.h: Likewise.
* sysdeps/unix/i386/sysdep.h: Likewise.
* sysdeps/unix/mips/sysdep.h: Likewise.
* sysdeps/unix/sparc/sysdep.h: Likewise.
* sysdeps/unix/sysv/linux/alpha/sysdep.h: Likewise.
* sysdeps/unix/sysv/linux/arm/sysdep.h: Likewise.
* sysdeps/unix/sysv/linux/i386/sysdep.h: Likewise.
* sysdeps/unix/sysv/linux/m68k/sysdep.h: Likewise.
* sysdeps/unix/sysv/linux/powerpc/sysdep.h: Likewise.
* sysdeps/unix/sysv/linux/sparc/sparc32/sysdep.h: Likewise.
* sysdeps/unix/sysv/linux/sparc/sparc64/sysdep.h: Likewise.
* sysdeps/unix/sysv/sysv4/solaris2/sparc/sysdep.h: Likewise.
1998-05-27 Mark Kettenis <kettenis@phys.uva.nl>
* mach/Machrules: Use $(move-if-change).
1998-05-27 Mark Kettenis <kettenis@phys.uva.nl>
* Makeconfig [elf=yes] (+interp): New variable, set to interp.os.
* Makerules (lib%.so): Depend on $(+interp).
(libc.so): Add interp.os to list of dependencies.
(interp-obj): Remove variable.
* mach/Machrules (+interp): Define to empty since libhurduser and
libmachuser don't need to have the interpreter set.
1998-05-28 Andreas Jaeger <aj@arthur.rhein-neckar.de>
* resolv/res_send.c: Security fixes from bind 4.9.7-REL.
* resolv/gethnamaddr.c: Likewise.
* resolv/res_comp.c: Likewise.
1998-05-28 Mark Kettenis <kettenis@phys.uva.nl>
* sysdeps/mach/hurd/wait4.c (__wait4): Use ANSI-style definition
so that transparent union works.
Diffstat (limited to 'resolv/gethnamaddr.c')
-rw-r--r-- | resolv/gethnamaddr.c | 44 |
1 files changed, 41 insertions, 3 deletions
diff --git a/resolv/gethnamaddr.c b/resolv/gethnamaddr.c index 4c8180fca8..3272dbd591 100644 --- a/resolv/gethnamaddr.c +++ b/resolv/gethnamaddr.c @@ -160,6 +160,24 @@ dprintf(msg, num) # define dprintf(msg, num) /*nada*/ #endif +#define BOUNDED_INCR(x) \ + do { \ + cp += x; \ + if (cp > eom) { \ + __set_h_errno (NO_RECOVERY); \ + return (NULL); \ + } \ + } while (0) + +#define BOUNDS_CHECK(ptr, count) \ + do { \ + if ((ptr) + (count) > eom) { \ + __set_h_errno (NO_RECOVERY); \ + return (NULL); \ + } \ + } while (0) + + static struct hostent * getanswer(answer, anslen, qname, qtype) const querybuf *answer; @@ -170,7 +188,7 @@ getanswer(answer, anslen, qname, qtype) register const HEADER *hp; register const u_char *cp; register int n; - const u_char *eom; + const u_char *eom, *erdata; char *bp, **ap, **hap; int type, class, buflen, ancount, qdcount; int haveanswer, had_error; @@ -201,7 +219,8 @@ getanswer(answer, anslen, qname, qtype) qdcount = ntohs(hp->qdcount); bp = hostbuf; buflen = sizeof hostbuf; - cp = answer->buf + HFIXEDSZ; + cp = answer->buf; + BOUNDED_INCR(HFIXEDSZ); if (qdcount != 1) { __set_h_errno (NO_RECOVERY); return (NULL); @@ -211,7 +230,7 @@ getanswer(answer, anslen, qname, qtype) __set_h_errno (NO_RECOVERY); return (NULL); } - cp += n + QFIXEDSZ; + BOUNDED_INCR(n + QFIXEDSZ); if (qtype == T_A || qtype == T_AAAA) { /* res_send() has already verified that the query name is the * same as the one we sent; this just gets the expanded name @@ -243,12 +262,15 @@ getanswer(answer, anslen, qname, qtype) continue; } cp += n; /* name */ + BOUNDS_CHECK(cp, 3 * INT16SZ + INT32SZ); type = _getshort(cp); cp += INT16SZ; /* type */ class = _getshort(cp); cp += INT16SZ + INT32SZ; /* class, TTL */ n = _getshort(cp); cp += INT16SZ; /* len */ + BOUNDS_CHECK(cp, n); + erdata = cp + n; if (class != C_IN) { /* XXX - debug? syslog? */ cp += n; @@ -263,6 +285,10 @@ getanswer(answer, anslen, qname, qtype) continue; } cp += n; + if (cp != erdata) { + __set_h_errno (NO_RECOVERY); + return (NULL); + } /* Store alias. */ *ap++ = bp; n = strlen(bp) + 1; /* for the \0 */ @@ -291,6 +317,10 @@ getanswer(answer, anslen, qname, qtype) continue; } cp += n; + if (cp != erdata) { + __set_h_errno (NO_RECOVERY); + return (NULL); + } /* Get canonical name. */ n = strlen(tbuf) + 1; /* for the \0 */ if (n > buflen || n >= MAXHOSTNAMELEN) { @@ -326,6 +356,10 @@ getanswer(answer, anslen, qname, qtype) } #if MULTI_PTRS_ARE_ALIASES cp += n; + if (cp != erdata) { + __set_h_errno (NO_RECOVERY); + return (NULL); + } if (!haveanswer) host.h_name = bp; else if (ap < &host_aliases[MAXALIASES-1]) @@ -397,6 +431,10 @@ getanswer(answer, anslen, qname, qtype) bp += n; buflen -= n; cp += n; + if (cp != erdata) { + __set_h_errno (NO_RECOVERY); + return (NULL); + } break; default: abort(); |