Author: cy
Date: Thu Sep 5 19:35:30 2019
New Revision: 351889
URL: https://svnweb.freebsd.org/changeset/base/351889
Log:
Bounds check again after advancing cp, otherwise we have a possible
heap buffer overflow. This was discovered by a Google fuzzer test.
This can lead to remote denial of service. User interaction and
execution privileges are not a prerequisite for exploitation.
Reported by: enh at Google, to FreeBSD by m...@netbsd.org
Obtained from: enh at Google
See also: NetBSD ns_name.c r1.12
Reviewed by: delphij, ume
MFC after: 3 days
https://android-review.googlesource.com/c/platform/bionic/+/1093130
Differential Revision: https://reviews.freebsd.org/D21523
Modified:
head/lib/libc/nameser/ns_name.c
Modified: head/lib/libc/nameser/ns_name.c
==============================================================================
--- head/lib/libc/nameser/ns_name.c Thu Sep 5 19:25:44 2019
(r351888)
+++ head/lib/libc/nameser/ns_name.c Thu Sep 5 19:35:30 2019
(r351889)
@@ -684,7 +684,7 @@ ns_name_skip(const u_char **ptrptr, const u_char *eom)
{
const u_char *cp;
u_int n;
- int l;
+ int l = 0;
cp = *ptrptr;
while (cp < eom && (n = *cp++) != 0) {
@@ -694,7 +694,7 @@ ns_name_skip(const u_char **ptrptr, const u_char *eom)
cp += n;
continue;
case NS_TYPE_ELT: /*%< EDNS0 extended label */
- if ((l = labellen(cp - 1)) < 0) {
+ if (cp < eom && (l = labellen(cp - 1)) < 0) {
errno = EMSGSIZE; /*%< XXX */
return (-1);
}
_______________________________________________
svn-src-all@freebsd.org mailing list
https://lists.freebsd.org/mailman/listinfo/svn-src-all
To unsubscribe, send any mail to "svn-src-all-unsubscr...@freebsd.org"
