Author: ume Date: Sat Aug 30 18:00:13 2014 New Revision: 270852 URL: http://svnweb.freebsd.org/changeset/base/270852
Log: MFC r269873: Fix broken pointer overflow check ns_name_unpack() Many compilers may optimize away the overflow check `msg + l < msg', where `msg' is a pointer and `l' is an integer, because pointer overflow is undefined behavior in C. Use a safe precondition test `l >= eom - msg' instead. Reference: https://android-review.googlesource.com/#/c/50570/ Requested by: pfg Obtained from: NetBSD (CVS rev. 1.10) Modified: stable/9/lib/libc/nameser/ns_name.c Directory Properties: stable/9/lib/libc/ (props changed) Modified: stable/9/lib/libc/nameser/ns_name.c ============================================================================== --- stable/9/lib/libc/nameser/ns_name.c Sat Aug 30 17:56:58 2014 (r270851) +++ stable/9/lib/libc/nameser/ns_name.c Sat Aug 30 18:00:13 2014 (r270852) @@ -463,11 +463,12 @@ ns_name_unpack2(const u_char *msg, const } if (len < 0) len = srcp - src + 1; - srcp = msg + (((n & 0x3f) << 8) | (*srcp & 0xff)); - if (srcp < msg || srcp >= eom) { /*%< Out of range. */ + l = ((n & 0x3f) << 8) | (*srcp & 0xff); + if (l >= eom - msg) { /*%< Out of range. */ errno = EMSGSIZE; return (-1); } + srcp = msg + l; checked += 2; /* * Check for loops in the compressed name; _______________________________________________ svn-src-stable-9@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/svn-src-stable-9 To unsubscribe, send any mail to "svn-src-stable-9-unsubscr...@freebsd.org"
