This is the mail archive of the libc-alpha@sourceware.org mailing list for the glibc project.

Index Nav:	[Date Index] [Subject Index] [Author Index] [Thread Index]
Message Nav:	[Date Prev] [Date Next]	[Thread Prev] [Thread Next]
Other format:	[Raw text]

[WIP] resolv/res_send.c (__libc_res_nsend): Correctly sanity check buffer size.

From: Carlos O'Donell <carlos at redhat dot com>
To: Florian Weimer <fweimer at redhat dot com>, GNU C Library <libc-alpha at sourceware dot org>
Date: Tue, 31 May 2016 15:19:11 -0400
Subject: [WIP] resolv/res_send.c (__libc_res_nsend): Correctly sanity check buffer size.
Authentication-results: sourceware.org; auth=none

Florian,

I had this sitting around in my tree as a fix I'd been carrying around
but for one reason or another I never had a chance to push it.

Given that the answer buffer is no longer being used for space to store
two answers the "< 2 * HFIXEDSZ" possible outcome below is now overly
conservative. We need only consider the case where (a) the buffer can't
be reallocated (ansp is NULL) and (b) the size is less than HFIXEDSZ.
For the second buffer we're always going to malloc enough space.

Thoughts?

diff --git a/resolv/res_send.c b/resolv/res_send.c
index 869294f..3f42313 100644
--- a/resolv/res_send.c
+++ b/resolv/res_send.c
@@ -359,7 +359,9 @@ __libc_res_nsend(res_state statp, const u_char *buf, int buflen,
                return (-1);
        }
 
-       if (anssiz < (buf2 == NULL ? 1 : 2) * HFIXEDSZ) {
+       /* If the buffer can't be changed, and it's less than the
+          minimal header size, then that's an error.  */
+       if (anssiz < HFIXEDSZ && ansp == NULL) {
                __set_errno (EINVAL);
                return (-1);
        }

-- 
Cheers,
Carlos.

Index Nav:	[Date Index] [Subject Index] [Author Index] [Thread Index]
Message Nav:	[Date Prev] [Date Next]	[Thread Prev] [Thread Next]