1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
|
From bfe9a589a402d4b6265e32b1b5ca0942efdcff3b Mon Sep 17 00:00:00 2001
From: Timo Teras <timo.teras@iki.fi>
Date: Fri, 7 May 2010 11:30:04 +0300
Subject: [PATCH 2/2] resolv: various memory corruption and off by one fixes
Fixes resolution of names with AAAA entries and gethostbyaddr issues.
Signed-off-by: Timo Teras <timo.teras@iki.fi>
---
libc/inet/resolv.c | 12 ++++++++----
1 files changed, 8 insertions(+), 4 deletions(-)
diff --git a/libc/inet/resolv.c b/libc/inet/resolv.c
index 84289a6..320aec4 100644
--- a/libc/inet/resolv.c
+++ b/libc/inet/resolv.c
@@ -689,7 +689,7 @@ int attribute_hidden __decode_dotted(const unsigned char *packet,
if (used + b + 1 >= dest_len)
return -1;
- if (offset + b + 1 >= packet_len)
+ if (offset + b >= packet_len)
return -1;
memcpy(dest + used, packet + offset, b);
offset += b;
@@ -2417,7 +2417,7 @@ int gethostbyaddr_r(const void *addr, socklen_t addrlen,
/* Layout in buf:
* char *alias[ALIAS_DIM];
* struct in[6]_addr* addr_list[2];
- * struct in[6]_addr* in;
+ * struct in[6]_addr in;
* char scratch_buffer[256+];
*/
#define in6 ((struct in6_addr *)in)
@@ -2431,9 +2431,13 @@ int gethostbyaddr_r(const void *addr, socklen_t addrlen,
#ifndef __UCLIBC_HAS_IPV6__
buf += sizeof(*in);
buflen -= sizeof(*in);
+ if (addrlen > sizeof(*in))
+ return ERANGE;
#else
buf += sizeof(*in6);
buflen -= sizeof(*in6);
+ if (addrlen > sizeof(*in6))
+ return ERANGE;
#endif
if ((ssize_t)buflen < 256)
return ERANGE;
@@ -2441,7 +2445,7 @@ int gethostbyaddr_r(const void *addr, socklen_t addrlen,
alias[1] = NULL;
addr_list[0] = in;
addr_list[1] = NULL;
- memcpy(&in, addr, addrlen);
+ memcpy(in, addr, addrlen);
if (0) /* nothing */;
#ifdef __UCLIBC_HAS_IPV4__
@@ -2456,7 +2460,7 @@ int gethostbyaddr_r(const void *addr, socklen_t addrlen,
char *dst = buf;
unsigned char *tp = (unsigned char *)addr + addrlen - 1;
do {
- dst += sprintf(dst, "%x.%x.", tp[i] & 0xf, tp[i] >> 4);
+ dst += sprintf(dst, "%x.%x.", tp[0] & 0xf, tp[0] >> 4);
tp--;
} while (tp >= (unsigned char *)addr);
strcpy(dst, "ip6.arpa");
--
1.6.3.3
|
