Fix broken pointer overflow check ns_name_unpack()
Many compilers may optimize away the overflow check `msg + l < msg', where `msg' is a pointer and `l' is an integer, because pointer overflow is undefined behavior in C. Use a safe precondition test `l >= eom - msg' instead. Reference: https://android-review.googlesource.com/#/c/50570/ Obtained from: NetBSD (CVS rev. 1.10) MFC after: 3 weeks
This commit is contained in:
parent
046c3635cd
commit
a46361116a
@ -461,11 +461,12 @@ ns_name_unpack2(const u_char *msg, const u_char *eom, const u_char *src,
|
||||
}
|
||||
if (len < 0)
|
||||
len = srcp - src + 1;
|
||||
srcp = msg + (((n & 0x3f) << 8) | (*srcp & 0xff));
|
||||
if (srcp < msg || srcp >= eom) { /*%< Out of range. */
|
||||
l = ((n & 0x3f) << 8) | (*srcp & 0xff);
|
||||
if (l >= eom - msg) { /*%< Out of range. */
|
||||
errno = EMSGSIZE;
|
||||
return (-1);
|
||||
}
|
||||
srcp = msg + l;
|
||||
checked += 2;
|
||||
/*
|
||||
* Check for loops in the compressed name;
|
||||
|
Loading…
Reference in New Issue
Block a user