This is the mail archive of the libc-alpha@sourceware.org mailing list for the glibc project.


Index Nav: [Date Index] [Subject Index] [Author Index] [Thread Index]
Message Nav: [Date Prev] [Date Next] [Thread Prev] [Thread Next]
Other format: [Raw text]

Re: [WIP] resolv/res_send.c (__libc_res_nsend): Correctly sanity check buffer size.


On 06/03/2016 04:36 AM, Florian Weimer wrote:
> On 05/31/2016 09:19 PM, Carlos O'Donell wrote:
> 
>> diff --git a/resolv/res_send.c b/resolv/res_send.c
>> index 869294f..3f42313 100644
>> --- a/resolv/res_send.c
>> +++ b/resolv/res_send.c
>> @@ -359,7 +359,9 @@ __libc_res_nsend(res_state statp, const u_char *buf, int buflen,
>>                 return (-1);
>>         }
>>
>> -       if (anssiz < (buf2 == NULL ? 1 : 2) * HFIXEDSZ) {
>> +       /* If the buffer can't be changed, and it's less than the
>> +          minimal header size, then that's an error.  */
>> +       if (anssiz < HFIXEDSZ && ansp == NULL) {
>>                 __set_errno (EINVAL);
>>                 return (-1);
>>         }
> 
> Maybe add a comment why we don't compare against the query size? The
> code might be used to send DNS UPDATE requests (although this isn't
> really supported), and the query might contain a large OPT RR which
> is not expected to be copied into the answer.

Right, this is only a "minimum size" sanity check, but you're right
one might ask "Why not check against the query size?"

-- 
Cheers,
Carlos.


Index Nav: [Date Index] [Subject Index] [Author Index] [Thread Index]
Message Nav: [Date Prev] [Date Next] [Thread Prev] [Thread Next]