Skip site navigation (1)Skip section navigation (2) 
Date:      Sun, 8 Sep 2019 01:58:02 +0000 (UTC)
From:      Cy Schubert <cy@FreeBSD.org>
To:        src-committers@freebsd.org, svn-src-all@freebsd.org, svn-src-stable@freebsd.org, svn-src-stable-11@freebsd.org
Subject:   svn commit: r352027 - in stable: 11/lib/libc/nameser 12/lib/libc/nameser
Message-ID:  <201909080158.x881w2uC068752@repo.freebsd.org>
next in thread | raw e-mail | index | archive | help 
Author: cy
Date: Sun Sep  8 01:58:02 2019
New Revision: 352027
URL: https://svnweb.freebsd.org/changeset/base/352027

Log:
  MFC r351889:
  
  Bounds check again after advancing cp, otherwise we have a possible
  heap buffer overflow. This was discovered by a Google fuzzer test.
  This can lead to remote denial of service. User interaction and
  execution privileges are not a prerequisite for exploitation.
  
  Reported by:	enh at Google, to FreeBSD by maya@NetBSD.org
  Obtained from:	enh at Google
  See also:	NetBSD ns_name.c r1.12
  Reviewed by:	delphij, ume
  MFC after:	3 days
  	https://android-review.googlesource.com/c/platform/bionic/+/1093130
  Differential Revision:	https://reviews.freebsd.org/D21523

Modified:
  stable/11/lib/libc/nameser/ns_name.c
Directory Properties:
  stable/11/   (props changed)

Changes in other areas also in this revision:
Modified:
  stable/12/lib/libc/nameser/ns_name.c
Directory Properties:
  stable/12/   (props changed)

Modified: stable/11/lib/libc/nameser/ns_name.c
==============================================================================
--- stable/11/lib/libc/nameser/ns_name.c	Sat Sep  7 23:39:30 2019	(r352026)
+++ stable/11/lib/libc/nameser/ns_name.c	Sun Sep  8 01:58:02 2019	(r352027)
@@ -682,7 +682,7 @@ ns_name_skip(const u_char **ptrptr, const u_char *eom)
 {
 	const u_char *cp;
 	u_int n;
-	int l;
+	int l = 0;
 
 	cp = *ptrptr;
 	while (cp < eom && (n = *cp++) != 0) {
@@ -692,7 +692,7 @@ ns_name_skip(const u_char **ptrptr, const u_char *eom)
 			cp += n;
 			continue;
 		case NS_TYPE_ELT: /*%< EDNS0 extended label */
-			if ((l = labellen(cp - 1)) < 0) {
+			if (cp < eom && (l = labellen(cp - 1)) < 0) {
 				errno = EMSGSIZE; /*%< XXX */
 				return (-1);
 			}

Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?201909080158.x881w2uC068752>