This is the mail archive of the libc-alpha@sourceware.org mailing list for the glibc project.

Index Nav:	[Date Index] [Subject Index] [Author Index] [Thread Index]
Message Nav:	[Date Prev] [Date Next]	[Thread Prev] [Thread Next]
Other format:	[Raw text]

[PATCH] Fix out of bounds memory access in res_nquerydomain

From: Jeff Law <law at redhat dot com>
To: libc-alpha at sources dot redhat dot com
Date: Tue, 28 Feb 2012 22:05:43 -0700
Subject: [PATCH] Fix out of bounds memory access in res_nquerydomain

This was spotted by Serge Pavlovsky

                /*
                 * Check for trailing '.';
                 * copy without '.' if present.
                 */
                n = strlen(name);
                if (n >= MAXDNAME) {
                        RES_SET_H_ERRNO(statp, NO_RECOVERY);
                        return (-1);
                }
                n--;
                if (n >= 0 && name[n] == '.') {

N is of type size_t, and thus unsigned. GCC will quite sensibly eliminate the n >= 0 check. Thus if NAME was an empty string, we will read from name[-1].

It looks like this has been broken since 1999 or so when these bits were converted to use strncpy & friends rather than bcopy and MAXDNAME instead of sizeof (nbuf).

ISTM the easiest fix is to decrement N immediately after the call to strlen and twiddle MAXDNAME test to use MAXDNAME - 1. If N wraps, that test will be true and we'll return a reasonable error.

The n >= 0 test is pointless and should just be deleted.

Attachment: patch
Description: Text document

Follow-Ups:
- Re: [PATCH] Fix out of bounds memory access in res_nquerydomain
  - From: David Miller

Index Nav:	[Date Index] [Subject Index] [Author Index] [Thread Index]
Message Nav:	[Date Prev] [Date Next]	[Thread Prev] [Thread Next]