MFC r269873:

Fix broken pointer overflow check ns_name_unpack()

Many compilers may optimize away the overflow check `msg + l < msg',
where `msg' is a pointer and `l' is an integer, because pointer
overflow is undefined behavior in C.

Use a safe precondition test `l >= eom - msg' instead.

Reference:
https://android-review.googlesource.com/#/c/50570/

Requested by:	pfg
Obtained from:	NetBSD (CVS rev. 1.10)
This commit is contained in:
ume 2014-08-30 10:25:41 +00:00
parent 7642dd9269
commit 82bd2f3628

View File

@ -463,11 +463,12 @@ ns_name_unpack2(const u_char *msg, const u_char *eom, const u_char *src,
}
if (len < 0)
len = srcp - src + 1;
srcp = msg + (((n & 0x3f) << 8) | (*srcp & 0xff));
if (srcp < msg || srcp >= eom) { /*%< Out of range. */
l = ((n & 0x3f) << 8) | (*srcp & 0xff);
if (l >= eom - msg) { /*%< Out of range. */
errno = EMSGSIZE;
return (-1);
}
srcp = msg + l;
checked += 2;
/*
* Check for loops in the compressed name;