summaryrefslogtreecommitdiff
diff options
context:
space:
mode:
authorRich Felker <dalias@aerifal.cx>2017-04-11 22:01:31 -0400
committerRich Felker <dalias@aerifal.cx>2017-04-11 22:09:10 -0400
commit1ca597551bab424a1302938dd3504ddf73904efd (patch)
tree829fe539b9b62f57e74b8daabebcadcbe7d20109
parent54807d47acecab778498ced88ce8f62bfa16e379 (diff)
downloadmusl-1ca597551bab424a1302938dd3504ddf73904efd.tar.gz
musl-1ca597551bab424a1302938dd3504ddf73904efd.tar.bz2
musl-1ca597551bab424a1302938dd3504ddf73904efd.tar.xz
musl-1ca597551bab424a1302938dd3504ddf73904efd.zip
fix read past end of buffer in getaddrinfo backend
due to testing buf[i].family==AF_INET before checking i==cnt, it was possible to read past the end of the array, or past the valid part. in practice, without active bounds/indeterminate-value checking by the compiler, the worst that happened was failure to return early and optimize out the sorting that's unneeded for v4-only results. returning on i==cnt-1 rather than i==cnt would be an alternate fix, but the approach this patch takes is more idiomatic and less error-prone. patch by Timo Teräs.
-rw-r--r--src/network/lookup_name.c4
1 files changed, 2 insertions, 2 deletions
diff --git a/src/network/lookup_name.c b/src/network/lookup_name.c
index fb7303a3..066be4d5 100644
--- a/src/network/lookup_name.c
+++ b/src/network/lookup_name.c
@@ -338,8 +338,8 @@ int __lookup_name(struct address buf[static MAXADDRS], char canon[static 256], c
/* No further processing is needed if there are fewer than 2
* results or if there are only IPv4 results. */
if (cnt<2 || family==AF_INET) return cnt;
- for (i=0; buf[i].family == AF_INET; i++)
- if (i==cnt) return cnt;
+ for (i=0; i<cnt; i++) if (buf[i].family != AF_INET) break;
+ if (i==cnt) return cnt;
int cs;
pthread_setcancelstate(PTHREAD_CANCEL_DISABLE, &cs);