off-by-1 error in string length validation

From: Pavel Kankovsky <peak@argo.troja.mff.cuni.cz>
This commit is contained in:
itojun 2000-09-25 23:04:36 +00:00
parent e04f70f17c
commit 311be79390

View File

@ -1,5 +1,5 @@
/* $FreeBSD$ */
/* $KAME: getnameinfo.c,v 1.43 2000/06/12 04:27:03 itojun Exp $ */
/* $KAME: getnameinfo.c,v 1.45 2000/09/25 22:43:56 itojun Exp $ */
/*
* Copyright (C) 1995, 1996, 1997, and 1998 WIDE Project.
@ -33,11 +33,9 @@
/*
* Issues to be discussed:
* - Thread safe-ness must be checked
* - Return values. There seems to be no standard for return value (RFC2553)
* but INRIA implementation returns EAI_xxx defined for getaddrinfo().
* - RFC2553 says that we should raise error on short buffer. X/Open says
* we need to truncate the result. We obey RFC2553 (and X/Open should be
* modified).
* modified). ipngwg rough consensus seems to follow RFC2553.
* - What is "local" in NI_FQDN?
* - NI_NAMEREQD and NI_NUMERICHOST conflict with each other.
* - (KAME extension) NI_WITHSCOPEID when called with global address,
@ -88,6 +86,7 @@ static int ip6_parsenumeric __P((const struct sockaddr *, const char *, char *,
static int ip6_sa2str __P((const struct sockaddr_in6 *, char *, size_t, int));
#endif
/* 2553bis: use EAI_xx for getnameinfo */
#define ENI_NOSOCKET EAI_FAIL /*XXX*/
#define ENI_NOSERVNAME EAI_NONAME
#define ENI_NOHOSTNAME EAI_NONAME
@ -154,12 +153,12 @@ getnameinfo(sa, salen, host, hostlen, serv, servlen, flags)
(flags & NI_DGRAM) ? "udp" : "tcp");
}
if (sp) {
if (strlen(sp->s_name) > servlen)
if (strlen(sp->s_name) + 1 > servlen)
return ENI_MEMORY;
strcpy(serv, sp->s_name);
} else {
snprintf(numserv, sizeof(numserv), "%d", ntohs(port));
if (strlen(numserv) > servlen)
if (strlen(numserv) + 1 > servlen)
return ENI_MEMORY;
strcpy(serv, numserv);
}
@ -253,7 +252,7 @@ getnameinfo(sa, salen, host, hostlen, serv, servlen, flags)
*p = '\0';
}
#endif
if (strlen(hp->h_name) > hostlen) {
if (strlen(hp->h_name) + 1 > hostlen) {
freehostent(hp);
return ENI_MEMORY;
}