From 52ea39e6a5b8d27dacc6016243acdaa4ed0c07ae Mon Sep 17 00:00:00 2001
From: bluhm <>
Date: Thu, 16 Mar 2023 13:28:54 +0000
Subject: Fix a number of out of bound reads in DNS response parsing. from
 millert@;  originally from djm@;  OK deraadt@ florian@ bluhm@

this is errata/7.1/026_resolv.patch.sig
---
 src/lib/libc/net/res_comp.c | 8 +++++++-
 1 file changed, 7 insertions(+), 1 deletion(-)

(limited to 'src/lib/libc')

diff --git a/src/lib/libc/net/res_comp.c b/src/lib/libc/net/res_comp.c
index e637f4a958..0df9947226 100644
--- a/src/lib/libc/net/res_comp.c
+++ b/src/lib/libc/net/res_comp.c
@@ -1,4 +1,4 @@
-/*	$OpenBSD: res_comp.c,v 1.20 2016/05/01 15:17:29 millert Exp $	*/
+/*	$OpenBSD: res_comp.c,v 1.20.24.1 2023/03/16 13:28:54 bluhm Exp $	*/
 
 /*
  * ++Copyright++ 1985, 1993
@@ -82,6 +82,9 @@ dn_expand(const u_char *msg, const u_char *eomorig, const u_char *comp_dn,
 	char *eom;
 	int len = -1, checked = 0;
 
+	if (comp_dn < msg || comp_dn >= eomorig)
+		return (-1);
+
 	dn = exp_dn;
 	cp = comp_dn;
 	if (length > HOST_NAME_MAX)
@@ -91,6 +94,9 @@ dn_expand(const u_char *msg, const u_char *eomorig, const u_char *comp_dn,
 	 * fetch next label in domain name
 	 */
 	while ((n = *cp++)) {
+		if (cp >= eomorig)	/* out of range */
+			return (-1);
+
 		/*
 		 * Check for indirection
 		 */
-- 
cgit v1.2.3-55-g6feb