off-by-1 error in string length validation

From: Pavel Kankovsky <peak@argo.troja.mff.cuni.cz>
2000-09-25 23:04:36 +00:00 · 2000-09-25 23:04:36 +00:00 · dade4b8b1d
commit dade4b8b1d
parent e9ee7bc9d2
1 changed files with 6 additions and 7 deletions
--- a/lib/libc/net/getnameinfo.c
+++ b/lib/libc/net/getnameinfo.c
@ -1,5 +1,5 @@
 /*	$FreeBSD$	*/
-/*	$KAME: getnameinfo.c,v 1.43 2000/06/12 04:27:03 itojun Exp $	*/
+/*	$KAME: getnameinfo.c,v 1.45 2000/09/25 22:43:56 itojun Exp $	*/

 /*
 * Copyright (C) 1995, 1996, 1997, and 1998 WIDE Project.
@ -33,11 +33,9 @@
 /*
 * Issues to be discussed:
 * - Thread safe-ness must be checked
- * - Return values.  There seems to be no standard for return value (RFC2553)
- *   but INRIA implementation returns EAI_xxx defined for getaddrinfo().
 * - RFC2553 says that we should raise error on short buffer.  X/Open says
 *   we need to truncate the result.  We obey RFC2553 (and X/Open should be
- *   modified).
+ *   modified).  ipngwg rough consensus seems to follow RFC2553.
 * - What is "local" in NI_FQDN?
 * - NI_NAMEREQD and NI_NUMERICHOST conflict with each other.
 * - (KAME extension) NI_WITHSCOPEID when called with global address,
@ -88,6 +86,7 @@ static int ip6_parsenumeric __P((const struct sockaddr *, const char *, char *,
 static int ip6_sa2str __P((const struct sockaddr_in6 *, char *, size_t, int));
 #endif

+/* 2553bis: use EAI_xx for getnameinfo */
 #define ENI_NOSOCKET 	EAI_FAIL		/*XXX*/
 #define ENI_NOSERVNAME	EAI_NONAME
 #define ENI_NOHOSTNAME	EAI_NONAME
@ -154,12 +153,12 @@ getnameinfo(sa, salen, host, hostlen, serv, servlen, flags)
 				(flags & NI_DGRAM) ? "udp" : "tcp");
 		}
 		if (sp) {
-			if (strlen(sp->s_name) > servlen)
+			if (strlen(sp->s_name) + 1 > servlen)
 				return ENI_MEMORY;
 			strcpy(serv, sp->s_name);
 		} else {
 			snprintf(numserv, sizeof(numserv), "%d", ntohs(port));
-			if (strlen(numserv) > servlen)
+			if (strlen(numserv) + 1 > servlen)
 				return ENI_MEMORY;
 			strcpy(serv, numserv);
 		}
@ -253,7 +252,7 @@ getnameinfo(sa, salen, host, hostlen, serv, servlen, flags)
 					*p = '\0';
 			}
 #endif
-			if (strlen(hp->h_name) > hostlen) {
+			if (strlen(hp->h_name) + 1 > hostlen) {
 				freehostent(hp);
 				return ENI_MEMORY;
 			}