git.samba.org / jlayton / glibc.git / commitdiff
? search:
summary | shortlog | log | commit | commitdiff | tree
raw | patch | inline | side by side (parent: 1f393a1)
[network] Avoid out ouf bounds read in __libc_res_nquerydomain
authorJeff Law <law@redhat.com>
Wed, 29 Feb 2012 16:51:27 +0000 (11:51 -0500)
committerCarlos O'Donell <carlos@codesourcery.com>
Wed, 29 Feb 2012 16:51:27 +0000 (11:51 -0500)
2012-02-28  Jeff Law  <law@redhat.com>

* resolv/res_query.c (__libc_res_nquerydomain): Avoid
out of bounds read.

ChangeLog patch | blob | history
resolv/res_query.c patch | blob | history

diff --git a/ChangeLog b/ChangeLog
index 069bbc3e0f097dd73547632590180539e3f8837b..5501ffb4c44788f220575e57db62f115735ef716 100644 (file)
--- a/ChangeLog
+++ b/ChangeLog
@@ -1,3 +1,8 @@
+2012-02-29  Jeff Law  <law@redhat.com>
+
+       * resolv/res_query.c (__libc_res_nquerydomain): Avoid
+       out of bounds read.
+
 2012-02-29  Marek Polacek  <polacek@redhat.com>
 
        [BZ #13706]
diff --git a/resolv/res_query.c b/resolv/res_query.c
index 947c6513a2bd5186ddd5079c8c024df46348c2ec..abccd4a92105d4bc105b2b04307c7d03440bea38 100644 (file)
--- a/resolv/res_query.c
+++ b/resolv/res_query.c
@@ -556,12 +556,16 @@ __libc_res_nquerydomain(res_state statp,
                 * copy without '.' if present.
                 */
                n = strlen(name);
-               if (n >= MAXDNAME) {
+
+               /* Decrement N prior to checking it against MAXDNAME
+                  so that we detect a wrap to SIZE_MAX and return
+                  a reasonable error.  */
+               n--;
+               if (n >= MAXDNAME - 1) {
                        RES_SET_H_ERRNO(statp, NO_RECOVERY);
                        return (-1);
                }
-               n--;
-               if (n >= 0 && name[n] == '.') {
+               if (name[n] == '.') {
                        strncpy(nbuf, name, n);
                        nbuf[n] = '\0';
                } else
Jeff Layton's glibc branches