From owner-svn-src-stable@FreeBSD.ORG  Sat Aug 30 18:00:14 2014
Return-Path: <owner-svn-src-stable@FreeBSD.ORG>
Delivered-To: svn-src-stable@freebsd.org
Received: from mx1.freebsd.org (mx1.freebsd.org [8.8.178.115])
 (using TLSv1 with cipher ADH-AES256-SHA (256/256 bits))
 (No client certificate requested)
 by hub.freebsd.org (Postfix) with ESMTPS id 7122A3B1;
 Sat, 30 Aug 2014 18:00:14 +0000 (UTC)
Received: from svn.freebsd.org (svn.freebsd.org
 [IPv6:2001:1900:2254:2068::e6a:0])
 (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits))
 (Client did not present a certificate)
 by mx1.freebsd.org (Postfix) with ESMTPS id 5A8BF1535;
 Sat, 30 Aug 2014 18:00:14 +0000 (UTC)
Received: from svn.freebsd.org ([127.0.1.70])
 by svn.freebsd.org (8.14.9/8.14.9) with ESMTP id s7UI0E6f065540;
 Sat, 30 Aug 2014 18:00:14 GMT (envelope-from ume@FreeBSD.org)
Received: (from ume@localhost)
 by svn.freebsd.org (8.14.9/8.14.9/Submit) id s7UI0EK1065539;
 Sat, 30 Aug 2014 18:00:14 GMT (envelope-from ume@FreeBSD.org)
Message-Id: <201408301800.s7UI0EK1065539@svn.freebsd.org>
X-Authentication-Warning: svn.freebsd.org: ume set sender to ume@FreeBSD.org
 using -f
From: Hajimu UMEMOTO <ume@FreeBSD.org>
Date: Sat, 30 Aug 2014 18:00:14 +0000 (UTC)
To: src-committers@freebsd.org, svn-src-all@freebsd.org,
 svn-src-stable@freebsd.org, svn-src-stable-9@freebsd.org
Subject: svn commit: r270852 - stable/9/lib/libc/nameser
X-SVN-Group: stable-9
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit
X-BeenThere: svn-src-stable@freebsd.org
X-Mailman-Version: 2.1.18-1
Precedence: list
List-Id: SVN commit messages for all the -stable branches of the src tree
 <svn-src-stable.freebsd.org>
List-Unsubscribe: <http://lists.freebsd.org/mailman/options/svn-src-stable>,
 <mailto:svn-src-stable-request@freebsd.org?subject=unsubscribe>
List-Archive: <http://lists.freebsd.org/pipermail/svn-src-stable/>
List-Post: <mailto:svn-src-stable@freebsd.org>
List-Help: <mailto:svn-src-stable-request@freebsd.org?subject=help>
List-Subscribe: <http://lists.freebsd.org/mailman/listinfo/svn-src-stable>,
 <mailto:svn-src-stable-request@freebsd.org?subject=subscribe>
X-List-Received-Date: Sat, 30 Aug 2014 18:00:14 -0000

Author: ume
Date: Sat Aug 30 18:00:13 2014
New Revision: 270852
URL: http://svnweb.freebsd.org/changeset/base/270852

Log:
  MFC r269873:
  Fix broken pointer overflow check ns_name_unpack()
  
  Many compilers may optimize away the overflow check `msg + l < msg',
  where `msg' is a pointer and `l' is an integer, because pointer
  overflow is undefined behavior in C.
  
  Use a safe precondition test `l >= eom - msg' instead.
  
  Reference:
  https://android-review.googlesource.com/#/c/50570/
  
  Requested by:	pfg
  Obtained from:	NetBSD (CVS rev. 1.10)

Modified:
  stable/9/lib/libc/nameser/ns_name.c
Directory Properties:
  stable/9/lib/libc/   (props changed)

Modified: stable/9/lib/libc/nameser/ns_name.c
==============================================================================
--- stable/9/lib/libc/nameser/ns_name.c	Sat Aug 30 17:56:58 2014	(r270851)
+++ stable/9/lib/libc/nameser/ns_name.c	Sat Aug 30 18:00:13 2014	(r270852)
@@ -463,11 +463,12 @@ ns_name_unpack2(const u_char *msg, const
 			}
 			if (len < 0)
 				len = srcp - src + 1;
-			srcp = msg + (((n & 0x3f) << 8) | (*srcp & 0xff));
-			if (srcp < msg || srcp >= eom) {  /*%< Out of range. */
+			l = ((n & 0x3f) << 8) | (*srcp & 0xff);
+			if (l >= eom - msg) {  /*%< Out of range. */
 				errno = EMSGSIZE;
 				return (-1);
 			}
+			srcp = msg + l;
 			checked += 2;
 			/*
 			 * Check for loops in the compressed name;