head 1.2; access; symbols pkgsrc-2013Q2:1.2.0.54 pkgsrc-2013Q2-base:1.2 pkgsrc-2012Q4:1.2.0.52 pkgsrc-2012Q4-base:1.2 pkgsrc-2011Q4:1.2.0.50 pkgsrc-2011Q4-base:1.2 pkgsrc-2011Q2:1.2.0.48 pkgsrc-2011Q2-base:1.2 pkgsrc-2009Q4:1.2.0.46 pkgsrc-2009Q4-base:1.2 pkgsrc-2008Q4:1.2.0.44 pkgsrc-2008Q4-base:1.2 pkgsrc-2008Q3:1.2.0.42 pkgsrc-2008Q3-base:1.2 cube-native-xorg:1.2.0.40 cube-native-xorg-base:1.2 pkgsrc-2008Q2:1.2.0.38 pkgsrc-2008Q2-base:1.2 pkgsrc-2008Q1:1.2.0.36 pkgsrc-2008Q1-base:1.2 pkgsrc-2007Q4:1.2.0.34 pkgsrc-2007Q4-base:1.2 pkgsrc-2007Q3:1.2.0.32 pkgsrc-2007Q3-base:1.2 pkgsrc-2007Q2:1.2.0.30 pkgsrc-2007Q2-base:1.2 pkgsrc-2007Q1:1.2.0.28 pkgsrc-2007Q1-base:1.2 pkgsrc-2006Q4:1.2.0.26 pkgsrc-2006Q4-base:1.2 pkgsrc-2006Q3:1.2.0.24 pkgsrc-2006Q3-base:1.2 pkgsrc-2006Q2:1.2.0.22 pkgsrc-2006Q2-base:1.2 pkgsrc-2006Q1:1.2.0.20 pkgsrc-2006Q1-base:1.2 pkgsrc-2005Q4:1.2.0.18 pkgsrc-2005Q4-base:1.2 pkgsrc-2005Q3:1.2.0.16 pkgsrc-2005Q3-base:1.2 pkgsrc-2005Q2:1.2.0.14 pkgsrc-2005Q2-base:1.2 pkgsrc-2005Q1:1.2.0.12 pkgsrc-2005Q1-base:1.2 pkgsrc-2004Q4:1.2.0.10 pkgsrc-2004Q4-base:1.2 pkgsrc-2004Q3:1.2.0.8 pkgsrc-2004Q3-base:1.2 pkgsrc-2004Q2:1.2.0.6 pkgsrc-2004Q2-base:1.2 pkgsrc-2004Q1:1.2.0.4 pkgsrc-2004Q1-base:1.2 pkgsrc-2003Q4:1.2.0.2 pkgsrc-2003Q4-base:1.2; locks; strict; comment @# @; 1.2 date 2002.06.28.05.49.10; author itojun; state dead; branches; next 1.1; 1.1 date 2002.06.26.06.00.50; author itojun; state Exp; branches; next ; desc @@ 1.2 log @upgrade to 4.9.9. --- 4.9.9-REL released --- 818. [bug] remote buffer overrun. @ text @$NetBSD: patch-aa,v 1.1 2002/06/26 06:00:50 itojun Exp $ --- res/gethnamaddr.c- Wed Jun 26 12:08:56 2002 +++ res/gethnamaddr.c Wed Jun 26 12:13:12 2002 @@@@ -112,5 +112,5 @@@@ static void map_v4v6_address __P((const char *src, char *dst)); -static void map_v4v6_hostent __P((struct hostent *hp, char **bp, int *len)); +static void map_v4v6_hostent __P((struct hostent *hp, char **bp, char *ep)); #ifdef RESOLVSORT @@@@ -181,6 +181,6 @@@@ register int n; const u_char *eom, *erdata; - char *bp, **ap, **hap; - int type, class, buflen, ancount, qdcount; + char *bp, **ap, **hap, *ep; + int type, class, ancount, qdcount; int haveanswer, had_error; int toobig = 0; @@@@ -210,5 +210,5 @@@@ qdcount = ntohs(hp->qdcount); bp = hostbuf; - buflen = sizeof hostbuf; + ep = hostbuf + sizeof hostbuf; cp = answer->buf; BOUNDED_INCR(HFIXEDSZ); @@@@ -217,5 +217,5 @@@@ return (NULL); } - n = dn_expand(answer->buf, eom, cp, bp, buflen); + n = dn_expand(answer->buf, eom, cp, bp, ep - bp); if ((n < 0) || !(*name_ok)(bp)) { h_errno = NO_RECOVERY; @@@@ -235,5 +235,4 @@@@ host.h_name = bp; bp += n; - buflen -= n; /* The qname can be abbreviated, but h_name is now absolute. */ qname = host.h_name; @@@@ -248,5 +247,5 @@@@ had_error = 0; while (ancount-- > 0 && cp < eom && !had_error) { - n = dn_expand(answer->buf, eom, cp, bp, buflen); + n = dn_expand(answer->buf, eom, cp, bp, ep - bp); if ((n < 0) || !(*name_ok)(bp)) { had_error++; @@@@ -289,8 +288,7 @@@@ } bp += n; - buflen -= n; /* Get canonical name. */ n = strlen(tbuf) + 1; /* for the \0 */ - if (n > buflen || n >= MAXHOSTNAMELEN) { + if (n > ep - bp || n >= MAXHOSTNAMELEN) { had_error++; continue; @@@@ -299,5 +297,4 @@@@ host.h_name = bp; bp += n; - buflen -= n; continue; } @@@@ -315,5 +312,5 @@@@ /* Get canonical name. */ n = strlen(tbuf) + 1; /* for the \0 */ - if (n > buflen || n >= MAXHOSTNAMELEN) { + if (n > ep - bp || n >= MAXHOSTNAMELEN) { had_error++; continue; @@@@ -322,5 +319,4 @@@@ tname = bp; bp += n; - buflen -= n; continue; } @@@@ -341,5 +337,5 @@@@ continue; /* XXX - had_error++ ? */ } - n = dn_expand(answer->buf, eom, cp, bp, buflen); + n = dn_expand(answer->buf, eom, cp, bp, ep - bp); if ((n < 0) || !res_hnok(bp)) { had_error++; @@@@ -365,5 +361,4 @@@@ } bp += n; - buflen -= n; } break; @@@@ -377,6 +372,5 @@@@ } bp += n; - buflen -= n; - map_v4v6_hostent(&host, &bp, &buflen); + map_v4v6_hostent(&host, &bp, ep); } h_errno = NETDB_SUCCESS; @@@@ -401,5 +395,4 @@@@ nn = strlen(bp) + 1; /* for the \0 */ bp += nn; - buflen -= nn; } @@@@ -420,5 +413,4 @@@@ bcopy(cp, *hap++ = bp, n); bp += n; - buflen -= n; cp += n; if (cp != erdata) { @@@@ -447,13 +439,12 @@@@ if (!host.h_name) { n = strlen(qname) + 1; /* for the \0 */ - if (n > buflen || n >= MAXHOSTNAMELEN) + if (n > ep - bp || n >= MAXHOSTNAMELEN) goto no_recovery; strcpy(bp, qname); host.h_name = bp; bp += n; - buflen -= n; } if (_res.options & RES_USE_INET6) - map_v4v6_hostent(&host, &bp, &buflen); + map_v4v6_hostent(&host, &bp, ep); h_errno = NETDB_SUCCESS; return (&host); @@@@ -489,6 +480,6 @@@@ querybuf buf; register const char *cp; - char *bp; - int n, size, type, len; + char *bp, *ep; + int n, size, type; extern struct hostent *_gethtbyname2(); @@@@ -545,5 +536,5 @@@@ hostbuf[MAXDNAME] = '\0'; bp = hostbuf + MAXDNAME; - len = sizeof hostbuf - MAXDNAME; + ep = hostbuf + sizeof hostbuf; host.h_name = hostbuf; host.h_aliases = host_aliases; @@@@ -553,5 +544,5 @@@@ host.h_addr_list = h_addr_ptrs; if (_res.options & RES_USE_INET6) - map_v4v6_hostent(&host, &bp, &len); + map_v4v6_hostent(&host, &bp, ep); h_errno = NETDB_SUCCESS; return (&host); @@@@ -578,5 +569,5 @@@@ hostbuf[MAXDNAME] = '\0'; bp = hostbuf + MAXDNAME; - len = sizeof hostbuf - MAXDNAME; + ep = hostbuf + sizeof hostbuf; host.h_name = hostbuf; host.h_aliases = host_aliases; @@@@ -885,8 +876,8 @@@@ static void -map_v4v6_hostent(hp, bpp, lenp) +map_v4v6_hostent(hp, bpp, ep) struct hostent *hp; char **bpp; - int *lenp; + char *ep; { char **ap; @@@@ -899,5 +890,5 @@@@ int i = sizeof(align) - ((u_long)*bpp % sizeof(align)); - if (*lenp < (i + IN6ADDRSZ)) { + if (ep - *bpp < (i + IN6ADDRSZ)) { /* Out of memory. Truncate address list here. XXX */ *ap = NULL; @@@@ -905,9 +896,7 @@@@ } *bpp += i; - *lenp -= i; map_v4v6_address(*ap, *bpp); *ap = *bpp; *bpp += IN6ADDRSZ; - *lenp -= IN6ADDRSZ; } } @ 1.1 log @avoid remote buffer overrun on hostbuf[]. From: Joost Pol correct bad practice in the code - it uses two changing variables to manage buffer (buf and buflen). we eliminate buflen and use fixed point (ep) as the ending pointer. this fix is critical. @ text @d1 1 a1 1 $NetBSD$ @