Bounds check again after advancing cp, otherwise we have a possible

heap buffer overflow. This was discovered by a Google fuzzer test.
This can lead to remote denial of service. User interaction and
execution privileges are not a prerequisite for exploitation.

Reported by:	enh at Google, to FreeBSD by maya@NetBSD.org
Obtained from:	enh at Google
See also:	NetBSD ns_name.c r1.12
Reviewed by:	delphij, ume
MFC after:	3 days
	https://android-review.googlesource.com/c/platform/bionic/+/1093130
Differential Revision:	https://reviews.freebsd.org/D21523
This commit is contained in:
Cy Schubert 2019-09-05 19:35:30 +00:00
parent acce2d7606
commit 4effc02129

View File

@ -684,7 +684,7 @@ ns_name_skip(const u_char **ptrptr, const u_char *eom)
{
const u_char *cp;
u_int n;
int l;
int l = 0;
cp = *ptrptr;
while (cp < eom && (n = *cp++) != 0) {
@ -694,7 +694,7 @@ ns_name_skip(const u_char **ptrptr, const u_char *eom)
cp += n;
continue;
case NS_TYPE_ELT: /*%< EDNS0 extended label */
if ((l = labellen(cp - 1)) < 0) {
if (cp < eom && (l = labellen(cp - 1)) < 0) {
errno = EMSGSIZE; /*%< XXX */
return (-1);
}