2002-11-14 Paul Eggert <eggert@twionsun.com>

* resolv/nss_dns/dns-network.c (getanswer_r): Check for buffer overflow when skipping the question part and when unpacking aliases.
2025-07-29 11:41:21 +03:00 · 2002-11-18 04:10:15 +00:00
parent 502328b258
commit 9b57c1c1e4
2 changed files with 24 additions and 7 deletions
--- a/resolv/nss_dns/dns-network.c
+++ b/resolv/nss_dns/dns-network.c
@ -283,7 +283,15 @@ getanswer_r (const querybuf *answer, int anslen, struct netent *result,

  /* Skip the question part.  */
  while (question_count-- > 0)
-    cp += __dn_skipname (cp, end_of_message) + QFIXEDSZ;
+    {
+      int n = __dn_skipname (cp, end_of_message);
+      if (n < 0 || end_of_message - (cp + n) < QFIXEDSZ)
+       {
+         __set_h_errno (NO_RECOVERY);
+         return NSS_STATUS_UNAVAIL;
+       }
+      cp += n + QFIXEDSZ;
+    }

  alias_pointer = result->n_aliases = &net_data->aliases[0];
  *alias_pointer = NULL;
@ -344,12 +352,15 @@ getanswer_r (const querybuf *answer, int anslen, struct netent *result,
 	      return NSS_STATUS_UNAVAIL;
 	    }
 	  cp += n;
-	  *alias_pointer++ = bp;
-	  n = strlen (bp) + 1;
-	  bp += n;
-	  linebuflen -= n;
-	  result->n_addrtype = class == C_IN ? AF_INET : AF_UNSPEC;
-	  ++have_answer;
+         if (alias_pointer + 2 < &net_data->aliases[MAX_NR_ALIASES])
+           {
+             *alias_pointer++ = bp;
+             n = strlen (bp) + 1;
+             bp += n;
+             linebuflen -= n;
+             result->n_addrtype = class == C_IN ? AF_INET : AF_UNSPEC;
+             ++have_answer;
+           }
 	}
    }