diff options
| author | Alexey Izbyshev <izbyshev@ispras.ru> | 2023-01-28 00:17:37 +0300 |
|---|---|---|
| committer | Rich Felker <dalias@aerifal.cx> | 2023-02-27 10:01:29 -0500 |
| commit | 12590c8bbd04ea484cee86812e2258fbdfca0e59 (patch) | |
| tree | 5f844f3a3ff128794c4bcc0cd73de2f3fadd3a61 /compat/time32/utimes_time32.c | |
| parent | bc695a5ac1d7929e5c1ad5297eb47e146cccd157 (diff) | |
| download | musl-12590c8bbd04ea484cee86812e2258fbdfca0e59.tar.gz musl-12590c8bbd04ea484cee86812e2258fbdfca0e59.tar.bz2 musl-12590c8bbd04ea484cee86812e2258fbdfca0e59.tar.xz musl-12590c8bbd04ea484cee86812e2258fbdfca0e59.zip | |
fix out-of-bounds reads in __dns_parse
There are several issues with range checks in this function:
* The question section parsing loop can read up to two out-of-bounds
bytes before doing the range check and bailing out.
* The answer section parsing loop, in addition to the same issue as
above, uses the wrong length in the range check that doesn't prevent
OOB reads when computing len later.
* The len range check before calling the callback is off by 10. Also,
p+len can overflow in a (probably theoretical) case when p is within
2^16 from UINTPTR_MAX.
Because __dns_parse is used only with stack-allocated buffers, such
small overreads can't result in a segfault. The first two also don't
affect the function result, but the last one may result in getaddrinfo
incorrectly succeeding and returning up to 10 bytes past the
response buffer as a part of the IP address, and in (canon) name
returned by getaddrinfo/getnameinfo being affected by memory past the
response buffer (because dn_expand might interpret it as a pointer).
Diffstat (limited to 'compat/time32/utimes_time32.c')
0 files changed, 0 insertions, 0 deletions