diff options
| author | itojun <> | 2002-06-26 06:00:54 +0000 |
|---|---|---|
| committer | itojun <> | 2002-06-26 06:00:54 +0000 |
| commit | 2de6ddb6a22feedbcbc44271ca3841ddc526981b (patch) | |
| tree | 524bd879d83e4a3a441b496c0122e8a2d30eee92 /src/lib/libc/net/getnetnamadr.c | |
| parent | 403c6466072dcd35f27270cbae14d8ba3baa7a03 (diff) | |
| download | openbsd-2de6ddb6a22feedbcbc44271ca3841ddc526981b.tar.gz openbsd-2de6ddb6a22feedbcbc44271ca3841ddc526981b.tar.bz2 openbsd-2de6ddb6a22feedbcbc44271ca3841ddc526981b.zip | |
avoid remote buffer overrun on hostbuf[]. From: Joost Pol <joost@pine.nl>
correct bad practice in the code - it uses two changing variables
to manage buffer (buf and buflen). we eliminate buflen and use
fixed point (ep) as the ending pointer.
this fix is critical.
Diffstat (limited to '')
| -rw-r--r-- | src/lib/libc/net/getnetnamadr.c | 19 |
1 files changed, 10 insertions, 9 deletions
diff --git a/src/lib/libc/net/getnetnamadr.c b/src/lib/libc/net/getnetnamadr.c index 834ddf11ae..a5a4200acf 100644 --- a/src/lib/libc/net/getnetnamadr.c +++ b/src/lib/libc/net/getnetnamadr.c | |||
| @@ -1,4 +1,4 @@ | |||
| 1 | /* $OpenBSD: getnetnamadr.c,v 1.15 2002/02/16 21:27:23 millert Exp $ */ | 1 | /* $OpenBSD: getnetnamadr.c,v 1.16 2002/06/26 06:00:54 itojun Exp $ */ |
| 2 | 2 | ||
| 3 | /* | 3 | /* |
| 4 | * Copyright (c) 1997, Jason Downs. All rights reserved. | 4 | * Copyright (c) 1997, Jason Downs. All rights reserved. |
| @@ -77,7 +77,7 @@ static char sccsid[] = "@(#)getnetbyaddr.c 8.1 (Berkeley) 6/4/93"; | |||
| 77 | static char sccsid_[] = "from getnetnamadr.c 1.4 (Coimbra) 93/06/03"; | 77 | static char sccsid_[] = "from getnetnamadr.c 1.4 (Coimbra) 93/06/03"; |
| 78 | static char rcsid[] = "$From: getnetnamadr.c,v 8.7 1996/08/05 08:31:35 vixie Exp $"; | 78 | static char rcsid[] = "$From: getnetnamadr.c,v 8.7 1996/08/05 08:31:35 vixie Exp $"; |
| 79 | #else | 79 | #else |
| 80 | static char rcsid[] = "$OpenBSD: getnetnamadr.c,v 1.15 2002/02/16 21:27:23 millert Exp $"; | 80 | static char rcsid[] = "$OpenBSD: getnetnamadr.c,v 1.16 2002/06/26 06:00:54 itojun Exp $"; |
| 81 | #endif | 81 | #endif |
| 82 | #endif /* LIBC_SCCS and not lint */ | 82 | #endif /* LIBC_SCCS and not lint */ |
| 83 | 83 | ||
| @@ -133,9 +133,9 @@ getnetanswer(answer, anslen, net_i) | |||
| 133 | register u_char *cp; | 133 | register u_char *cp; |
| 134 | register int n; | 134 | register int n; |
| 135 | u_char *eom; | 135 | u_char *eom; |
| 136 | int type, class, buflen, ancount, qdcount, haveanswer, i, nchar; | 136 | int type, class, ancount, qdcount, haveanswer, i, nchar; |
| 137 | char aux1[MAXHOSTNAMELEN], aux2[MAXHOSTNAMELEN], ans[MAXHOSTNAMELEN]; | 137 | char aux1[MAXHOSTNAMELEN], aux2[MAXHOSTNAMELEN], ans[MAXHOSTNAMELEN]; |
| 138 | char *in, *st, *pauxt, *bp, **ap; | 138 | char *in, *st, *pauxt, *bp, **ap, *ep; |
| 139 | char *paux1 = &aux1[0], *paux2 = &aux2[0], flag = 0; | 139 | char *paux1 = &aux1[0], *paux2 = &aux2[0], flag = 0; |
| 140 | static struct netent net_entry; | 140 | static struct netent net_entry; |
| 141 | static char *net_aliases[MAXALIASES], netbuf[BUFSIZ+1]; | 141 | static char *net_aliases[MAXALIASES], netbuf[BUFSIZ+1]; |
| @@ -159,7 +159,7 @@ getnetanswer(answer, anslen, net_i) | |||
| 159 | ancount = ntohs(hp->ancount); /* #/records in the answer section */ | 159 | ancount = ntohs(hp->ancount); /* #/records in the answer section */ |
| 160 | qdcount = ntohs(hp->qdcount); /* #/entries in the question section */ | 160 | qdcount = ntohs(hp->qdcount); /* #/entries in the question section */ |
| 161 | bp = netbuf; | 161 | bp = netbuf; |
| 162 | buflen = sizeof(netbuf); | 162 | ep = netbuf + sizeof(netbuf); |
| 163 | cp = answer->buf + HFIXEDSZ; | 163 | cp = answer->buf + HFIXEDSZ; |
| 164 | if (!qdcount) { | 164 | if (!qdcount) { |
| 165 | if (hp->aa) | 165 | if (hp->aa) |
| @@ -175,7 +175,7 @@ getnetanswer(answer, anslen, net_i) | |||
| 175 | net_entry.n_aliases = net_aliases; | 175 | net_entry.n_aliases = net_aliases; |
| 176 | haveanswer = 0; | 176 | haveanswer = 0; |
| 177 | while (--ancount >= 0 && cp < eom) { | 177 | while (--ancount >= 0 && cp < eom) { |
| 178 | n = dn_expand(answer->buf, eom, cp, bp, buflen); | 178 | n = dn_expand(answer->buf, eom, cp, bp, ep - bp); |
| 179 | #ifdef USE_RESOLV_NAME_OK | 179 | #ifdef USE_RESOLV_NAME_OK |
| 180 | if ((n < 0) || !res_dnok(bp)) | 180 | if ((n < 0) || !res_dnok(bp)) |
| 181 | #else | 181 | #else |
| @@ -190,12 +190,13 @@ getnetanswer(answer, anslen, net_i) | |||
| 190 | cp += INT32SZ; /* TTL */ | 190 | cp += INT32SZ; /* TTL */ |
| 191 | GETSHORT(n, cp); | 191 | GETSHORT(n, cp); |
| 192 | if (class == C_IN && type == T_PTR) { | 192 | if (class == C_IN && type == T_PTR) { |
| 193 | n = dn_expand(answer->buf, eom, cp, bp, buflen); | 193 | n = dn_expand(answer->buf, eom, cp, bp, ep - bp); |
| 194 | #ifdef USE_RESOLV_NAME_OK | 194 | #ifdef USE_RESOLV_NAME_OK |
| 195 | if ((n < 0) || !res_hnok(bp)) { | 195 | if ((n < 0) || !res_hnok(bp)) |
| 196 | #else | 196 | #else |
| 197 | if ((n < 0) || !_hokchar(bp)) { | 197 | if ((n < 0) || !_hokchar(bp)) |
| 198 | #endif | 198 | #endif |
| 199 | { | ||
| 199 | cp += n; | 200 | cp += n; |
| 200 | return (NULL); | 201 | return (NULL); |
| 201 | } | 202 | } |