From owner-svn-src-stable-10@FreeBSD.ORG Sat Aug 30 10:25:42 2014 Return-Path: Delivered-To: svn-src-stable-10@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:1900:2254:206a::19:1]) (using TLSv1 with cipher ADH-AES256-SHA (256/256 bits)) (No client certificate requested) by hub.freebsd.org (Postfix) with ESMTPS id 2373C907; Sat, 30 Aug 2014 10:25:42 +0000 (UTC) Received: from svn.freebsd.org (svn.freebsd.org [IPv6:2001:1900:2254:2068::e6a:0]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (Client did not present a certificate) by mx1.freebsd.org (Postfix) with ESMTPS id 0E9B91A93; Sat, 30 Aug 2014 10:25:42 +0000 (UTC) Received: from svn.freebsd.org ([127.0.1.70]) by svn.freebsd.org (8.14.9/8.14.9) with ESMTP id s7UAPfva050024; Sat, 30 Aug 2014 10:25:41 GMT (envelope-from ume@FreeBSD.org) Received: (from ume@localhost) by svn.freebsd.org (8.14.9/8.14.9/Submit) id s7UAPfvX050023; Sat, 30 Aug 2014 10:25:41 GMT (envelope-from ume@FreeBSD.org) Message-Id: <201408301025.s7UAPfvX050023@svn.freebsd.org> X-Authentication-Warning: svn.freebsd.org: ume set sender to ume@FreeBSD.org using -f From: Hajimu UMEMOTO Date: Sat, 30 Aug 2014 10:25:41 +0000 (UTC) To: src-committers@freebsd.org, svn-src-all@freebsd.org, svn-src-stable@freebsd.org, svn-src-stable-10@freebsd.org Subject: svn commit: r270839 - stable/10/lib/libc/nameser X-SVN-Group: stable-10 MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit X-BeenThere: svn-src-stable-10@freebsd.org X-Mailman-Version: 2.1.18-1 Precedence: list List-Id: SVN commit messages for only the 10-stable src tree List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Sat, 30 Aug 2014 10:25:42 -0000 Author: ume Date: Sat Aug 30 10:25:41 2014 New Revision: 270839 URL: http://svnweb.freebsd.org/changeset/base/270839 Log: MFC r269873: Fix broken pointer overflow check ns_name_unpack() Many compilers may optimize away the overflow check `msg + l < msg', where `msg' is a pointer and `l' is an integer, because pointer overflow is undefined behavior in C. Use a safe precondition test `l >= eom - msg' instead. Reference: https://android-review.googlesource.com/#/c/50570/ Requested by: pfg Obtained from: NetBSD (CVS rev. 1.10) Modified: stable/10/lib/libc/nameser/ns_name.c Directory Properties: stable/10/ (props changed) Modified: stable/10/lib/libc/nameser/ns_name.c ============================================================================== --- stable/10/lib/libc/nameser/ns_name.c Sat Aug 30 10:16:25 2014 (r270838) +++ stable/10/lib/libc/nameser/ns_name.c Sat Aug 30 10:25:41 2014 (r270839) @@ -463,11 +463,12 @@ ns_name_unpack2(const u_char *msg, const } if (len < 0) len = srcp - src + 1; - srcp = msg + (((n & 0x3f) << 8) | (*srcp & 0xff)); - if (srcp < msg || srcp >= eom) { /*%< Out of range. */ + l = ((n & 0x3f) << 8) | (*srcp & 0xff); + if (l >= eom - msg) { /*%< Out of range. */ errno = EMSGSIZE; return (-1); } + srcp = msg + l; checked += 2; /* * Check for loops in the compressed name;