This is the mail archive of the
libc-alpha@sourceware.org
mailing list for the glibc project.
Re: [WIP] resolv/res_send.c (__libc_res_nsend): Correctly sanity check buffer size.
- From: Carlos O'Donell <carlos at redhat dot com>
- To: Florian Weimer <fweimer at redhat dot com>
- Cc: GNU C Library <libc-alpha at sourceware dot org>
- Date: Fri, 3 Jun 2016 13:35:15 -0400
- Subject: Re: [WIP] resolv/res_send.c (__libc_res_nsend): Correctly sanity check buffer size.
- Authentication-results: sourceware.org; auth=none
- References: <574DE3AF dot 6010600 at redhat dot com> <c0169321-8f52-1bcc-70f4-b13e9d292f1b at redhat dot com>
On 06/03/2016 04:36 AM, Florian Weimer wrote:
> On 05/31/2016 09:19 PM, Carlos O'Donell wrote:
>
>> diff --git a/resolv/res_send.c b/resolv/res_send.c
>> index 869294f..3f42313 100644
>> --- a/resolv/res_send.c
>> +++ b/resolv/res_send.c
>> @@ -359,7 +359,9 @@ __libc_res_nsend(res_state statp, const u_char *buf, int buflen,
>> return (-1);
>> }
>>
>> - if (anssiz < (buf2 == NULL ? 1 : 2) * HFIXEDSZ) {
>> + /* If the buffer can't be changed, and it's less than the
>> + minimal header size, then that's an error. */
>> + if (anssiz < HFIXEDSZ && ansp == NULL) {
>> __set_errno (EINVAL);
>> return (-1);
>> }
>
> Maybe add a comment why we don't compare against the query size? The
> code might be used to send DNS UPDATE requests (although this isn't
> really supported), and the query might contain a large OPT RR which
> is not expected to be copied into the answer.
Right, this is only a "minimum size" sanity check, but you're right
one might ask "Why not check against the query size?"
--
Cheers,
Carlos.