Date: Thu, 5 Sep 2019 19:35:30 +0000 (UTC) From: Cy Schubert <cy@FreeBSD.org> To: src-committers@freebsd.org, svn-src-all@freebsd.org, svn-src-head@freebsd.org Subject: svn commit: r351889 - head/lib/libc/nameser Message-ID: <201909051935.x85JZUbg000725@repo.freebsd.org>
next in thread | raw e-mail | index | archive | help
Author: cy Date: Thu Sep 5 19:35:30 2019 New Revision: 351889 URL: https://svnweb.freebsd.org/changeset/base/351889 Log: Bounds check again after advancing cp, otherwise we have a possible heap buffer overflow. This was discovered by a Google fuzzer test. This can lead to remote denial of service. User interaction and execution privileges are not a prerequisite for exploitation. Reported by: enh at Google, to FreeBSD by maya@NetBSD.org Obtained from: enh at Google See also: NetBSD ns_name.c r1.12 Reviewed by: delphij, ume MFC after: 3 days https://android-review.googlesource.com/c/platform/bionic/+/1093130 Differential Revision: https://reviews.freebsd.org/D21523 Modified: head/lib/libc/nameser/ns_name.c Modified: head/lib/libc/nameser/ns_name.c ============================================================================== --- head/lib/libc/nameser/ns_name.c Thu Sep 5 19:25:44 2019 (r351888) +++ head/lib/libc/nameser/ns_name.c Thu Sep 5 19:35:30 2019 (r351889) @@ -684,7 +684,7 @@ ns_name_skip(const u_char **ptrptr, const u_char *eom) { const u_char *cp; u_int n; - int l; + int l = 0; cp = *ptrptr; while (cp < eom && (n = *cp++) != 0) { @@ -694,7 +694,7 @@ ns_name_skip(const u_char **ptrptr, const u_char *eom) cp += n; continue; case NS_TYPE_ELT: /*%< EDNS0 extended label */ - if ((l = labellen(cp - 1)) < 0) { + if (cp < eom && (l = labellen(cp - 1)) < 0) { errno = EMSGSIZE; /*%< XXX */ return (-1); }
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?201909051935.x85JZUbg000725>