Skip site navigation (1)Skip section navigation (2)
Date:      Sat, 30 Aug 2014 10:25:41 +0000 (UTC)
From:      Hajimu UMEMOTO <ume@FreeBSD.org>
To:        src-committers@freebsd.org, svn-src-all@freebsd.org, svn-src-stable@freebsd.org, svn-src-stable-10@freebsd.org
Subject:   svn commit: r270839 - stable/10/lib/libc/nameser
Message-ID:  <201408301025.s7UAPfvX050023@svn.freebsd.org>

next in thread | raw e-mail | index | archive | help
Author: ume
Date: Sat Aug 30 10:25:41 2014
New Revision: 270839
URL: http://svnweb.freebsd.org/changeset/base/270839

Log:
  MFC r269873:
  Fix broken pointer overflow check ns_name_unpack()
  
  Many compilers may optimize away the overflow check `msg + l < msg',
  where `msg' is a pointer and `l' is an integer, because pointer
  overflow is undefined behavior in C.
  
  Use a safe precondition test `l >= eom - msg' instead.
  
  Reference:
  https://android-review.googlesource.com/#/c/50570/
  
  Requested by:	pfg
  Obtained from:	NetBSD (CVS rev. 1.10)

Modified:
  stable/10/lib/libc/nameser/ns_name.c
Directory Properties:
  stable/10/   (props changed)

Modified: stable/10/lib/libc/nameser/ns_name.c
==============================================================================
--- stable/10/lib/libc/nameser/ns_name.c	Sat Aug 30 10:16:25 2014	(r270838)
+++ stable/10/lib/libc/nameser/ns_name.c	Sat Aug 30 10:25:41 2014	(r270839)
@@ -463,11 +463,12 @@ ns_name_unpack2(const u_char *msg, const
 			}
 			if (len < 0)
 				len = srcp - src + 1;
-			srcp = msg + (((n & 0x3f) << 8) | (*srcp & 0xff));
-			if (srcp < msg || srcp >= eom) {  /*%< Out of range. */
+			l = ((n & 0x3f) << 8) | (*srcp & 0xff);
+			if (l >= eom - msg) {  /*%< Out of range. */
 				errno = EMSGSIZE;
 				return (-1);
 			}
+			srcp = msg + l;
 			checked += 2;
 			/*
 			 * Check for loops in the compressed name;



Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?201408301025.s7UAPfvX050023>