Date: Thu, 7 Aug 2014 16:40:24 +0000 (UTC) From: Pedro F. Giffuni <pfg@FreeBSD.org> To: src-committers@freebsd.org, svn-src-all@freebsd.org, svn-src-vendor@freebsd.org Subject: svn commit: r269668 - vendor/resolver/dist/lib/libc/nameser Message-ID: <53e3abf8.2b1a.26b42ea6@svn.freebsd.org>
next in thread | raw e-mail | index | archive | help
Author: pfg Date: Thu Aug 7 16:40:24 2014 New Revision: 269668 URL: http://svnweb.freebsd.org/changeset/base/269668 Log: Fix broken pointer overflow check ns_name_unpack() Many compilers may optimize away the overflow check `msg + l < msg', where `msg' is a pointer and `l' is an integer, because pointer overflow is undefined behavior in C. Use a safe precondition test `l >= eom - msg' instead. Reference: https://android-review.googlesource.com/#/c/50570/ Obtained from: NetBSD (CVS rev. 1.10) MFC after: 3 weeks Modified: vendor/resolver/dist/lib/libc/nameser/ns_name.c Modified: vendor/resolver/dist/lib/libc/nameser/ns_name.c ============================================================================== --- vendor/resolver/dist/lib/libc/nameser/ns_name.c Thu Aug 7 15:56:55 2014 (r269667) +++ vendor/resolver/dist/lib/libc/nameser/ns_name.c Thu Aug 7 16:40:24 2014 (r269668) @@ -461,11 +461,12 @@ ns_name_unpack2(const u_char *msg, const } if (len < 0) len = srcp - src + 1; - srcp = msg + (((n & 0x3f) << 8) | (*srcp & 0xff)); - if (srcp < msg || srcp >= eom) { /*%< Out of range. */ + l = ((n & 0x3f) << 8) | (*srcp & 0xff); + if (l >= eom - msg) { /*%< Out of range. */ errno = EMSGSIZE; return (-1); } + srcp = msg + l; checked += 2; /* * Check for loops in the compressed name;
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?53e3abf8.2b1a.26b42ea6>