This is the mail archive of the
libc-alpha@sourceware.org
mailing list for the glibc project.
[WIP] resolv/res_send.c (__libc_res_nsend): Correctly sanity check buffer size.
- From: Carlos O'Donell <carlos at redhat dot com>
- To: Florian Weimer <fweimer at redhat dot com>, GNU C Library <libc-alpha at sourceware dot org>
- Date: Tue, 31 May 2016 15:19:11 -0400
- Subject: [WIP] resolv/res_send.c (__libc_res_nsend): Correctly sanity check buffer size.
- Authentication-results: sourceware.org; auth=none
Florian,
I had this sitting around in my tree as a fix I'd been carrying around
but for one reason or another I never had a chance to push it.
Given that the answer buffer is no longer being used for space to store
two answers the "< 2 * HFIXEDSZ" possible outcome below is now overly
conservative. We need only consider the case where (a) the buffer can't
be reallocated (ansp is NULL) and (b) the size is less than HFIXEDSZ.
For the second buffer we're always going to malloc enough space.
Thoughts?
diff --git a/resolv/res_send.c b/resolv/res_send.c
index 869294f..3f42313 100644
--- a/resolv/res_send.c
+++ b/resolv/res_send.c
@@ -359,7 +359,9 @@ __libc_res_nsend(res_state statp, const u_char *buf, int buflen,
return (-1);
}
- if (anssiz < (buf2 == NULL ? 1 : 2) * HFIXEDSZ) {
+ /* If the buffer can't be changed, and it's less than the
+ minimal header size, then that's an error. */
+ if (anssiz < HFIXEDSZ && ansp == NULL) {
__set_errno (EINVAL);
return (-1);
}
--
Cheers,
Carlos.