From 4effc02129cb440c7a9baf907906ab83982ec749 Mon Sep 17 00:00:00 2001 From: Cy Schubert Date: Thu, 5 Sep 2019 19:35:30 +0000 Subject: [PATCH] Bounds check again after advancing cp, otherwise we have a possible heap buffer overflow. This was discovered by a Google fuzzer test. This can lead to remote denial of service. User interaction and execution privileges are not a prerequisite for exploitation. Reported by: enh at Google, to FreeBSD by maya@NetBSD.org Obtained from: enh at Google See also: NetBSD ns_name.c r1.12 Reviewed by: delphij, ume MFC after: 3 days https://android-review.googlesource.com/c/platform/bionic/+/1093130 Differential Revision: https://reviews.freebsd.org/D21523 --- lib/libc/nameser/ns_name.c | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/lib/libc/nameser/ns_name.c b/lib/libc/nameser/ns_name.c index e5f50b3c8da4..f45278b989b1 100644 --- a/lib/libc/nameser/ns_name.c +++ b/lib/libc/nameser/ns_name.c @@ -684,7 +684,7 @@ ns_name_skip(const u_char **ptrptr, const u_char *eom) { const u_char *cp; u_int n; - int l; + int l = 0; cp = *ptrptr; while (cp < eom && (n = *cp++) != 0) { @@ -694,7 +694,7 @@ ns_name_skip(const u_char **ptrptr, const u_char *eom) cp += n; continue; case NS_TYPE_ELT: /*%< EDNS0 extended label */ - if ((l = labellen(cp - 1)) < 0) { + if (cp < eom && (l = labellen(cp - 1)) < 0) { errno = EMSGSIZE; /*%< XXX */ return (-1); }