Module Name: src
Committed By: martin
Date: Fri Sep 6 19:51:54 UTC 2019
Modified Files:
src/lib/libc/nameser [netbsd-9]: ns_name.c
Log Message:
Pull up following revision(s) (requested by maya in ticket #186):
lib/libc/nameser/ns_name.c: revision 1.12
Since we advance cp after the bounds check, we need to test for bounds
again before using it. Discovered via fuzzing, reported by enh at google, via:
https://android-review.googlesource.com/c/platform/bionic/+/1093130
To generate a diff of this commit:
cvs rdiff -u -r1.11 -r1.11.28.1 src/lib/libc/nameser/ns_name.c
Please note that diffs are not public domain; they are subject to the
copyright notices on the relevant files.
Modified files:
Index: src/lib/libc/nameser/ns_name.c
diff -u src/lib/libc/nameser/ns_name.c:1.11 src/lib/libc/nameser/ns_name.c:1.11.28.1
--- src/lib/libc/nameser/ns_name.c:1.11 Fri Mar 7 01:07:01 2014
+++ src/lib/libc/nameser/ns_name.c Fri Sep 6 19:51:54 2019
@@ -1,4 +1,4 @@
-/* $NetBSD: ns_name.c,v 1.11 2014/03/07 01:07:01 christos Exp $ */
+/* $NetBSD: ns_name.c,v 1.11.28.1 2019/09/06 19:51:54 martin Exp $ */
/*
* Copyright (c) 2004 by Internet Systems Consortium, Inc. ("ISC")
@@ -22,7 +22,7 @@
#ifdef notdef
static const char rcsid[] = "Id: ns_name.c,v 1.11 2009/01/23 19:59:16 each Exp";
#else
-__RCSID("$NetBSD: ns_name.c,v 1.11 2014/03/07 01:07:01 christos Exp $");
+__RCSID("$NetBSD: ns_name.c,v 1.11.28.1 2019/09/06 19:51:54 martin Exp $");
#endif
#endif
@@ -696,7 +696,7 @@ ns_name_skip(const u_char **ptrptr, cons
{
const u_char *cp;
u_int n;
- int l;
+ int l = 0;
cp = *ptrptr;
while (cp < eom && (n = *cp++) != 0) {
@@ -706,7 +706,7 @@ ns_name_skip(const u_char **ptrptr, cons
cp += n;
continue;
case NS_TYPE_ELT: /*%< EDNS0 extended label */
- if ((l = labellen(cp - 1)) < 0) {
+ if (cp < eom && (l = labellen(cp - 1)) < 0) {
errno = EMSGSIZE; /*%< XXX */
return (-1);
}
