Attachment #8768 for bug #18221

View | Details | Raw Unified | Return to bug 18221
Collapse All | Expand All




	} while (0)

#define BOUNDS_CHECK(ptr, count) \
	((ptr) + (count) > eom)
		if ((ptr) + (count) > eom) { \
			h_errno = NO_RECOVERY; \
			return (NULL); \
		} \
	} while (0)

static struct hostent *
gethostanswer(answer, anslen, qname, qtype)


	tname = qname;
	host.h_name = NULL;
	eom = answer->buf + (anslen > MAXPACKET ? MAXPACKET : anslen);
	switch (qtype) {
	case T_A:
	case T_AAAA:

			continue;
		}
		cp += n;			/* name */
		if (BOUNDS_CHECK(cp, 3 * INT16SZ + INT32SZ))
		{
			had_error++;
			continue;
		}
		type = _getshort(cp);
 		cp += INT16SZ;			/* type */
		class = _getshort(cp);

		cp += INT32SZ;			/* TTL */
		n = _getshort(cp);
		cp += INT16SZ;			/* len */
		if (BOUNDS_CHECK(cp, n))
		{
			had_error++;
			continue;
		}
		erdata = cp + n;
		if (class != C_IN) {
			/* XXX - debug? syslog? */

	}
	if (n > sizeof buf.buf) {
		dprintf("static buffer is too small (%d)\n", n);
		return (NULL);
	}
	if (!(hp = gethostanswer(&buf, n, qbuf, T_PTR)))
		return (NULL);	/* h_errno was set by gethostanswer() */

Return to bug 18221

Lines 142-153 Link Here

(-)lib/libc/net/gethostbydns.c (-10 / +12 lines)
142	} while (0)	142	} while (0)
143		143
144	#define BOUNDS_CHECK(ptr, count) \	144	#define BOUNDS_CHECK(ptr, count) \
145	do { \	145	((ptr) + (count) > eom)
146	if ((ptr) + (count) > eom) { \
147	h_errno = NO_RECOVERY; \
148	return (NULL); \
149	} \
150	} while (0)
151		146
152	static struct hostent *	147	static struct hostent *
153	gethostanswer(answer, anslen, qname, qtype)	148	gethostanswer(answer, anslen, qname, qtype)
Lines 170-176 Link Here
170		165
171	tname = qname;	166	tname = qname;
172	host.h_name = NULL;	167	host.h_name = NULL;
173	eom = answer->buf + anslen;	168	eom = answer->buf + (anslen > MAXPACKET ? MAXPACKET : anslen);
174	switch (qtype) {	169	switch (qtype) {
175	case T_A:	170	case T_A:
176	case T_AAAA:	171	case T_AAAA:
Lines 235-241 Link Here
235	continue;	230	continue;
236	}	231	}
237	cp += n; /* name */	232	cp += n; /* name */
238	BOUNDS_CHECK(cp, 3 * INT16SZ + INT32SZ);	233	if (BOUNDS_CHECK(cp, 3 * INT16SZ + INT32SZ))
		234	{
		235	had_error++;
		236	continue;
		237	}
239	type = _getshort(cp);	238	type = _getshort(cp);
240	cp += INT16SZ; /* type */	239	cp += INT16SZ; /* type */
241	class = _getshort(cp);	240	class = _getshort(cp);
Lines 245-251 Link Here
245	cp += INT32SZ; /* TTL */	244	cp += INT32SZ; /* TTL */
246	n = _getshort(cp);	245	n = _getshort(cp);
247	cp += INT16SZ; /* len */	246	cp += INT16SZ; /* len */
248	BOUNDS_CHECK(cp, n);	247	if (BOUNDS_CHECK(cp, n))
		248	{
		249	had_error++;
		250	continue;
		251	}
249	erdata = cp + n;	252	erdata = cp + n;
250	if (class != C_IN) {	253	if (class != C_IN) {
251	/* XXX - debug? syslog? */	254	/* XXX - debug? syslog? */
Lines 666-672 Link Here
666	}	669	}
667	if (n > sizeof buf.buf) {	670	if (n > sizeof buf.buf) {
668	dprintf("static buffer is too small (%d)\n", n);	671	dprintf("static buffer is too small (%d)\n", n);
669	return (NULL);
670	}	672	}
671	if (!(hp = gethostanswer(&buf, n, qbuf, T_PTR)))	673	if (!(hp = gethostanswer(&buf, n, qbuf, T_PTR)))
672	return (NULL); /* h_errno was set by gethostanswer() */	674	return (NULL); /* h_errno was set by gethostanswer() */