This is the mail archive of the glibc-bugs@sourceware.org mailing list for the glibc project.

Index Nav:	[Date Index] [Subject Index] [Author Index] [Thread Index]
Message Nav:	[Date Prev] [Date Next]	[Thread Prev] [Thread Next]
Other format:	[Raw text]

[Bug network/19413] New: ns_name_unpack: UB when checking for out of range addresses

From: "cherepan at mccme dot ru" <sourceware-bugzilla at sourceware dot org>
To: glibc-bugs at sourceware dot org
Date: Mon, 28 Dec 2015 14:14:05 +0000
Subject: [Bug network/19413] New: ns_name_unpack: UB when checking for out of range addresses
Auto-submitted: auto-generated

https://sourceware.org/bugzilla/show_bug.cgi?id=19413

            Bug ID: 19413
           Summary: ns_name_unpack: UB when checking for out of range
                    addresses
           Product: glibc
           Version: 2.22
            Status: NEW
          Severity: normal
          Priority: P2
         Component: network
          Assignee: unassigned at sourceware dot org
          Reporter: cherepan at mccme dot ru
  Target Milestone: ---

ns_name_unpack has the following code:

 425                         srcp = msg + (((n & 0x3f) << 8) | (*srcp & 0xff));
 426                         if (srcp < msg || srcp >= eom) {  /*%< Out of
range. */

https://sourceware.org/git/?p=glibc.git;a=blob;f=resolv/ns_name.c;h=f355cf34443c46d091157ed06f4ef8487214bf10;hb=HEAD#l425

This code is invalid C. The sum "msg + ..." is undefined by the C standard when
the result doesn't point into the same array. Then, checks for pointer wrapping
like "srcp < msg" are already "miscompiled" by clang and, I guess, could be
expected to be broken by gcc in the future.

Similar to pr19391.

-- 
You are receiving this mail because:
You are on the CC list for the bug.

Index Nav:	[Date Index] [Subject Index] [Author Index] [Thread Index]
Message Nav:	[Date Prev] [Date Next]	[Thread Prev] [Thread Next]