Skip site navigation (1)Skip section navigation (2)
Date:      Thu, 5 Sep 2019 19:35:30 +0000 (UTC)
From:      Cy Schubert <cy@FreeBSD.org>
To:        src-committers@freebsd.org, svn-src-all@freebsd.org, svn-src-head@freebsd.org
Subject:   svn commit: r351889 - head/lib/libc/nameser
Message-ID:  <201909051935.x85JZUbg000725@repo.freebsd.org>

next in thread | raw e-mail | index | archive | help
Author: cy
Date: Thu Sep  5 19:35:30 2019
New Revision: 351889
URL: https://svnweb.freebsd.org/changeset/base/351889

Log:
  Bounds check again after advancing cp, otherwise we have a possible
  heap buffer overflow. This was discovered by a Google fuzzer test.
  This can lead to remote denial of service. User interaction and
  execution privileges are not a prerequisite for exploitation.
  
  Reported by:	enh at Google, to FreeBSD by maya@NetBSD.org
  Obtained from:	enh at Google
  See also:	NetBSD ns_name.c r1.12
  Reviewed by:	delphij, ume
  MFC after:	3 days
  	https://android-review.googlesource.com/c/platform/bionic/+/1093130
  Differential Revision:	https://reviews.freebsd.org/D21523

Modified:
  head/lib/libc/nameser/ns_name.c

Modified: head/lib/libc/nameser/ns_name.c
==============================================================================
--- head/lib/libc/nameser/ns_name.c	Thu Sep  5 19:25:44 2019	(r351888)
+++ head/lib/libc/nameser/ns_name.c	Thu Sep  5 19:35:30 2019	(r351889)
@@ -684,7 +684,7 @@ ns_name_skip(const u_char **ptrptr, const u_char *eom)
 {
 	const u_char *cp;
 	u_int n;
-	int l;
+	int l = 0;
 
 	cp = *ptrptr;
 	while (cp < eom && (n = *cp++) != 0) {
@@ -694,7 +694,7 @@ ns_name_skip(const u_char **ptrptr, const u_char *eom)
 			cp += n;
 			continue;
 		case NS_TYPE_ELT: /*%< EDNS0 extended label */
-			if ((l = labellen(cp - 1)) < 0) {
+			if (cp < eom && (l = labellen(cp - 1)) < 0) {
 				errno = EMSGSIZE; /*%< XXX */
 				return (-1);
 			}



Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?201909051935.x85JZUbg000725>