]>
Commit | Line | Data |
---|---|---|
f549e3c5 JB |
1 | Index: bind8/src/lib/irs/dns_ho.c |
2 | diff -c bind8/src/lib/irs/dns_ho.c:1.36 bind8/src/lib/irs/dns_ho.c:1.39 | |
3 | *** bind8/src/lib/irs/dns_ho.c:1.36 Thu May 30 23:05:30 2002 | |
4 | --- bind8/src/lib/irs/dns_ho.c Wed Jun 26 20:56:32 2002 | |
5 | *************** | |
6 | *** 74,79 **** | |
7 | --- 74,80 ---- | |
8 | #include <resolv.h> | |
9 | #include <stdio.h> | |
10 | #include <string.h> | |
11 | + #include <syslog.h> | |
12 | ||
13 | #include <isc/memcluster.h> | |
14 | #include <irs.h> | |
15 | *************** | |
16 | *** 161,167 **** | |
17 | const struct addrinfo *pai); | |
18 | ||
19 | static void map_v4v6_hostent(struct hostent *hp, char **bp, | |
20 | ! int *len); | |
21 | static void addrsort(res_state, char **, int); | |
22 | static struct hostent * gethostans(struct irs_ho *this, | |
23 | const u_char *ansbuf, int anslen, | |
24 | --- 162,168 ---- | |
25 | const struct addrinfo *pai); | |
26 | ||
27 | static void map_v4v6_hostent(struct hostent *hp, char **bp, | |
28 | ! char *ep); | |
29 | static void addrsort(res_state, char **, int); | |
30 | static struct hostent * gethostans(struct irs_ho *this, | |
31 | const u_char *ansbuf, int anslen, | |
32 | *************** | |
33 | *** 1079,1085 **** | |
34 | struct addrinfo **ret_aip, const struct addrinfo *pai) | |
35 | { | |
36 | struct pvt *pvt = (struct pvt *)this->private; | |
37 | ! int type, class, buflen, ancount, qdcount, n, haveanswer, had_error; | |
38 | int error = NETDB_SUCCESS, arcount; | |
39 | int (*name_ok)(const char *); | |
40 | const HEADER *hp; | |
41 | --- 1080,1086 ---- | |
42 | struct addrinfo **ret_aip, const struct addrinfo *pai) | |
43 | { | |
44 | struct pvt *pvt = (struct pvt *)this->private; | |
45 | ! int type, class, ancount, qdcount, n, haveanswer, had_error; | |
46 | int error = NETDB_SUCCESS, arcount; | |
47 | int (*name_ok)(const char *); | |
48 | const HEADER *hp; | |
49 | *************** | |
50 | *** 1088,1094 **** | |
51 | const u_char *cp; | |
52 | const char *tname; | |
53 | const char *hname; | |
54 | ! char *bp, **ap, **hap; | |
55 | char tbuf[MAXDNAME+1]; | |
56 | struct addrinfo sentinel, *cur, ai; | |
57 | const u_char *arp = NULL; | |
58 | --- 1089,1095 ---- | |
59 | const u_char *cp; | |
60 | const char *tname; | |
61 | const char *hname; | |
62 | ! char *bp, *ep, **ap, **hap; | |
63 | char tbuf[MAXDNAME+1]; | |
64 | struct addrinfo sentinel, *cur, ai; | |
65 | const u_char *arp = NULL; | |
66 | *************** | |
67 | *** 1131,1143 **** | |
68 | qdcount = ntohs(hp->qdcount); | |
69 | arcount = ntohs(hp->arcount); | |
70 | bp = pvt->hostbuf; | |
71 | ! buflen = sizeof pvt->hostbuf; | |
72 | cp = ansbuf + HFIXEDSZ; | |
73 | if (qdcount != 1) { | |
74 | RES_SET_H_ERRNO(pvt->res, NO_RECOVERY); | |
75 | return (NULL); | |
76 | } | |
77 | ! n = dn_expand(ansbuf, eom, cp, bp, buflen); | |
78 | if (n < 0 || !maybe_ok(pvt->res, bp, name_ok)) { | |
79 | RES_SET_H_ERRNO(pvt->res, NO_RECOVERY); | |
80 | return (NULL); | |
81 | --- 1132,1144 ---- | |
82 | qdcount = ntohs(hp->qdcount); | |
83 | arcount = ntohs(hp->arcount); | |
84 | bp = pvt->hostbuf; | |
85 | ! ep = pvt->hostbuf + sizeof(pvt->hostbuf); | |
86 | cp = ansbuf + HFIXEDSZ; | |
87 | if (qdcount != 1) { | |
88 | RES_SET_H_ERRNO(pvt->res, NO_RECOVERY); | |
89 | return (NULL); | |
90 | } | |
91 | ! n = dn_expand(ansbuf, eom, cp, bp, ep - bp); | |
92 | if (n < 0 || !maybe_ok(pvt->res, bp, name_ok)) { | |
93 | RES_SET_H_ERRNO(pvt->res, NO_RECOVERY); | |
94 | return (NULL); | |
95 | *************** | |
96 | *** 1161,1167 **** | |
97 | pvt->host.h_name = bp; | |
98 | hname = bp; | |
99 | bp += n; | |
100 | - buflen -= n; | |
101 | /* The qname can be abbreviated, but hname is now absolute. */ | |
102 | qname = pvt->host.h_name; | |
103 | } | |
104 | --- 1162,1167 ---- | |
105 | *************** | |
106 | *** 1174,1180 **** | |
107 | haveanswer = 0; | |
108 | had_error = 0; | |
109 | while (ancount-- > 0 && cp < eom && !had_error) { | |
110 | ! n = dn_expand(ansbuf, eom, cp, bp, buflen); | |
111 | if (n < 0 || !maybe_ok(pvt->res, bp, name_ok)) { | |
112 | had_error++; | |
113 | continue; | |
114 | --- 1174,1180 ---- | |
115 | haveanswer = 0; | |
116 | had_error = 0; | |
117 | while (ancount-- > 0 && cp < eom && !had_error) { | |
118 | ! n = dn_expand(ansbuf, eom, cp, bp, ep - bp); | |
119 | if (n < 0 || !maybe_ok(pvt->res, bp, name_ok)) { | |
120 | had_error++; | |
121 | continue; | |
122 | *************** | |
123 | *** 1195,1200 **** | |
124 | --- 1195,1209 ---- | |
125 | eor = cp + n; | |
126 | if ((qtype == T_A || qtype == T_AAAA || qtype == ns_t_a6 || | |
127 | qtype == T_ANY) && type == T_CNAME) { | |
128 | + if (haveanswer) { | |
129 | + int level = LOG_CRIT; | |
130 | + #ifdef LOG_SECURITY | |
131 | + level |= LOG_SECURITY; | |
132 | + #endif | |
133 | + syslog(level, | |
134 | + "gethostans: possible attempt to exploit buffer overflow while looking up %s", | |
135 | + *qname ? qname : "."); | |
136 | + } | |
137 | if (ap >= &pvt->host_aliases[MAXALIASES-1]) | |
138 | continue; | |
139 | n = dn_expand(ansbuf, eor, cp, tbuf, sizeof tbuf); | |
140 | *************** | |
141 | *** 1207,1216 **** | |
142 | *ap++ = bp; | |
143 | n = strlen(bp) + 1; /* for the \0 */ | |
144 | bp += n; | |
145 | - buflen -= n; | |
146 | /* Get canonical name. */ | |
147 | n = strlen(tbuf) + 1; /* for the \0 */ | |
148 | ! if (n > buflen || n > MAXHOSTNAMELEN) { | |
149 | had_error++; | |
150 | continue; | |
151 | } | |
152 | --- 1216,1224 ---- | |
153 | *ap++ = bp; | |
154 | n = strlen(bp) + 1; /* for the \0 */ | |
155 | bp += n; | |
156 | /* Get canonical name. */ | |
157 | n = strlen(tbuf) + 1; /* for the \0 */ | |
158 | ! if (n > (ep - bp) || n > MAXHOSTNAMELEN) { | |
159 | had_error++; | |
160 | continue; | |
161 | } | |
162 | *************** | |
163 | *** 1218,1224 **** | |
164 | pvt->host.h_name = bp; | |
165 | hname = bp; | |
166 | bp += n; | |
167 | - buflen -= n; | |
168 | continue; | |
169 | } | |
170 | if (type == ns_t_dname) { | |
171 | --- 1226,1231 ---- | |
172 | *************** | |
173 | *** 1254,1260 **** | |
174 | cp += n; | |
175 | ||
176 | n = strlen(t) + 1; /* for the \0 */ | |
177 | ! if (n > buflen) { | |
178 | had_error++; | |
179 | continue; | |
180 | } | |
181 | --- 1261,1267 ---- | |
182 | cp += n; | |
183 | ||
184 | n = strlen(t) + 1; /* for the \0 */ | |
185 | ! if (n > (ep - bp)) { | |
186 | had_error++; | |
187 | continue; | |
188 | } | |
189 | *************** | |
190 | *** 1264,1270 **** | |
191 | else | |
192 | hname = bp; | |
193 | bp += n; | |
194 | - buflen -= n; | |
195 | ||
196 | continue; | |
197 | } | |
198 | --- 1271,1276 ---- | |
199 | *************** | |
200 | *** 1290,1303 **** | |
201 | } | |
202 | /* Get canonical name. */ | |
203 | n = strlen(tbuf) + 1; /* for the \0 */ | |
204 | ! if (n > buflen) { | |
205 | had_error++; | |
206 | continue; | |
207 | } | |
208 | strcpy(bp, tbuf); | |
209 | tname = bp; | |
210 | bp += n; | |
211 | - buflen -= n; | |
212 | continue; | |
213 | } | |
214 | if (qtype == T_ANY) { | |
215 | --- 1296,1308 ---- | |
216 | } | |
217 | /* Get canonical name. */ | |
218 | n = strlen(tbuf) + 1; /* for the \0 */ | |
219 | ! if (n > (ep - bp)) { | |
220 | had_error++; | |
221 | continue; | |
222 | } | |
223 | strcpy(bp, tbuf); | |
224 | tname = bp; | |
225 | bp += n; | |
226 | continue; | |
227 | } | |
228 | if (qtype == T_ANY) { | |
229 | *************** | |
230 | *** 1321,1327 **** | |
231 | cp += n; | |
232 | continue; | |
233 | } | |
234 | ! n = dn_expand(ansbuf, eor, cp, bp, buflen); | |
235 | if (n < 0 || !maybe_hnok(pvt->res, bp) || | |
236 | n >= MAXHOSTNAMELEN) { | |
237 | had_error++; | |
238 | --- 1326,1332 ---- | |
239 | cp += n; | |
240 | continue; | |
241 | } | |
242 | ! n = dn_expand(ansbuf, eor, cp, bp, ep - bp); | |
243 | if (n < 0 || !maybe_hnok(pvt->res, bp) || | |
244 | n >= MAXHOSTNAMELEN) { | |
245 | had_error++; | |
246 | *************** | |
247 | *** 1339,1345 **** | |
248 | if (n != -1) { | |
249 | n = strlen(bp) + 1; /* for the \0 */ | |
250 | bp += n; | |
251 | - buflen -= n; | |
252 | } | |
253 | break; | |
254 | case ns_t_a6: { | |
255 | --- 1344,1349 ---- | |
256 | *************** | |
257 | *** 1439,1445 **** | |
258 | pvt->host.h_name = bp; | |
259 | hname = bp; | |
260 | bp += nn; | |
261 | - buflen -= nn; | |
262 | } | |
263 | /* Ensure alignment. */ | |
264 | bp = (char *)(((u_long)bp + (sizeof(align) - 1)) & | |
265 | --- 1443,1448 ---- | |
266 | *************** | |
267 | *** 1493,1507 **** | |
268 | haveanswer); | |
269 | if (pvt->host.h_name == NULL) { | |
270 | n = strlen(qname) + 1; /* for the \0 */ | |
271 | ! if (n > buflen || n >= MAXHOSTNAMELEN) | |
272 | goto no_recovery; | |
273 | strcpy(bp, qname); | |
274 | pvt->host.h_name = bp; | |
275 | bp += n; | |
276 | - buflen -= n; | |
277 | } | |
278 | if (pvt->res->options & RES_USE_INET6) | |
279 | ! map_v4v6_hostent(&pvt->host, &bp, &buflen); | |
280 | RES_SET_H_ERRNO(pvt->res, NETDB_SUCCESS); | |
281 | return (&pvt->host); | |
282 | } else { | |
283 | --- 1496,1509 ---- | |
284 | haveanswer); | |
285 | if (pvt->host.h_name == NULL) { | |
286 | n = strlen(qname) + 1; /* for the \0 */ | |
287 | ! if (n > (ep - bp) || n >= MAXHOSTNAMELEN) | |
288 | goto no_recovery; | |
289 | strcpy(bp, qname); | |
290 | pvt->host.h_name = bp; | |
291 | bp += n; | |
292 | } | |
293 | if (pvt->res->options & RES_USE_INET6) | |
294 | ! map_v4v6_hostent(&pvt->host, &bp, ep); | |
295 | RES_SET_H_ERRNO(pvt->res, NETDB_SUCCESS); | |
296 | return (&pvt->host); | |
297 | } else { | |
298 | *************** | |
299 | *** 1575,1581 **** | |
300 | } | |
301 | ||
302 | static void | |
303 | ! map_v4v6_hostent(struct hostent *hp, char **bpp, int *lenp) { | |
304 | char **ap; | |
305 | ||
306 | if (hp->h_addrtype != AF_INET || hp->h_length != INADDRSZ) | |
307 | --- 1577,1583 ---- | |
308 | } | |
309 | ||
310 | static void | |
311 | ! map_v4v6_hostent(struct hostent *hp, char **bpp, char *ep) { | |
312 | char **ap; | |
313 | ||
314 | if (hp->h_addrtype != AF_INET || hp->h_length != INADDRSZ) | |
315 | *************** | |
316 | *** 1588,1604 **** | |
317 | if (i != 0) | |
318 | i = sizeof(align) - i; | |
319 | ||
320 | ! if (*lenp < (i + IN6ADDRSZ)) { | |
321 | /* Out of memory. Truncate address list here. */ | |
322 | *ap = NULL; | |
323 | return; | |
324 | } | |
325 | *bpp += i; | |
326 | - *lenp -= i; | |
327 | map_v4v6_address(*ap, *bpp); | |
328 | *ap = *bpp; | |
329 | *bpp += IN6ADDRSZ; | |
330 | - *lenp -= IN6ADDRSZ; | |
331 | } | |
332 | } | |
333 | ||
334 | --- 1590,1604 ---- | |
335 | if (i != 0) | |
336 | i = sizeof(align) - i; | |
337 | ||
338 | ! if ((ep - *bpp) < (i + IN6ADDRSZ)) { | |
339 | /* Out of memory. Truncate address list here. */ | |
340 | *ap = NULL; | |
341 | return; | |
342 | } | |
343 | *bpp += i; | |
344 | map_v4v6_address(*ap, *bpp); | |
345 | *ap = *bpp; | |
346 | *bpp += IN6ADDRSZ; | |
347 | } | |
348 | } | |
349 | ||
350 | Index: bind8/src/lib/irs/dns_nw.c | |
351 | diff -c bind8/src/lib/irs/dns_nw.c:1.22 bind8/src/lib/irs/dns_nw.c:1.23 | |
352 | *** bind8/src/lib/irs/dns_nw.c:1.22 Tue Feb 26 19:50:10 2002 | |
353 | --- bind8/src/lib/irs/dns_nw.c Wed Jun 26 00:42:06 2002 | |
354 | *************** | |
355 | *** 299,306 **** | |
356 | int af, const char *name, const u_char *addr, int addrlen) | |
357 | { | |
358 | struct pvt *pvt = (struct pvt *)this->private; | |
359 | ! int type, class, buflen, ancount, qdcount, haveanswer; | |
360 | ! char *bp, **ap; | |
361 | u_char *cp, *eom; | |
362 | HEADER *hp; | |
363 | ||
364 | --- 299,306 ---- | |
365 | int af, const char *name, const u_char *addr, int addrlen) | |
366 | { | |
367 | struct pvt *pvt = (struct pvt *)this->private; | |
368 | ! int type, class, ancount, qdcount, haveanswer; | |
369 | ! char *bp, *ep, **ap; | |
370 | u_char *cp, *eom; | |
371 | HEADER *hp; | |
372 | ||
373 | *************** | |
374 | *** 332,338 **** | |
375 | ||
376 | /* Prepare a return structure. */ | |
377 | bp = pvt->buf; | |
378 | ! buflen = sizeof pvt->buf; | |
379 | pvt->net.n_name = NULL; | |
380 | pvt->net.n_aliases = pvt->ali; | |
381 | pvt->net.n_addrtype = af; | |
382 | --- 332,338 ---- | |
383 | ||
384 | /* Prepare a return structure. */ | |
385 | bp = pvt->buf; | |
386 | ! ep = pvt->buf + sizeof(pvt->buf); | |
387 | pvt->net.n_name = NULL; | |
388 | pvt->net.n_aliases = pvt->ali; | |
389 | pvt->net.n_addrtype = af; | |
390 | *************** | |
391 | *** 345,364 **** | |
392 | if (name != NULL) { | |
393 | int n = strlen(name) + 1; | |
394 | ||
395 | ! if (n > buflen) { | |
396 | RES_SET_H_ERRNO(pvt->res, NO_RECOVERY); | |
397 | return (NULL); | |
398 | } | |
399 | pvt->net.n_name = strcpy(bp, name); | |
400 | bp += n; | |
401 | - buflen -= n; | |
402 | } | |
403 | break; | |
404 | case by_addr: | |
405 | if (addr != NULL && addrlen != 0) { | |
406 | int n = addrlen / 8 + ((addrlen % 8) != 0); | |
407 | ||
408 | ! if (INADDRSZ > buflen) { | |
409 | RES_SET_H_ERRNO(pvt->res, NO_RECOVERY); | |
410 | return (NULL); | |
411 | } | |
412 | --- 345,363 ---- | |
413 | if (name != NULL) { | |
414 | int n = strlen(name) + 1; | |
415 | ||
416 | ! if (n > (ep - bp)) { | |
417 | RES_SET_H_ERRNO(pvt->res, NO_RECOVERY); | |
418 | return (NULL); | |
419 | } | |
420 | pvt->net.n_name = strcpy(bp, name); | |
421 | bp += n; | |
422 | } | |
423 | break; | |
424 | case by_addr: | |
425 | if (addr != NULL && addrlen != 0) { | |
426 | int n = addrlen / 8 + ((addrlen % 8) != 0); | |
427 | ||
428 | ! if (INADDRSZ > (ep - bp)) { | |
429 | RES_SET_H_ERRNO(pvt->res, NO_RECOVERY); | |
430 | return (NULL); | |
431 | } | |
432 | *************** | |
433 | *** 366,372 **** | |
434 | memcpy(bp, addr, n); | |
435 | pvt->net.n_addr = bp; | |
436 | bp += INADDRSZ; | |
437 | - buflen -= INADDRSZ; | |
438 | } | |
439 | break; | |
440 | default: | |
441 | --- 365,370 ---- | |
442 | *************** | |
443 | *** 377,383 **** | |
444 | ap = pvt->ali; | |
445 | haveanswer = 0; | |
446 | while (--ancount >= 0 && cp < eom) { | |
447 | ! int n = dn_expand(ansbuf, eom, cp, bp, buflen); | |
448 | ||
449 | cp += n; /* Owner */ | |
450 | if (n < 0 || !maybe_dnok(pvt->res, bp) || | |
451 | --- 375,381 ---- | |
452 | ap = pvt->ali; | |
453 | haveanswer = 0; | |
454 | while (--ancount >= 0 && cp < eom) { | |
455 | ! int n = dn_expand(ansbuf, eom, cp, bp, ep - bp); | |
456 | ||
457 | cp += n; /* Owner */ | |
458 | if (n < 0 || !maybe_dnok(pvt->res, bp) || | |
459 | *************** | |
460 | *** 392,398 **** | |
461 | if (class == C_IN && type == T_PTR) { | |
462 | int nn; | |
463 | ||
464 | ! nn = dn_expand(ansbuf, eom, cp, bp, buflen); | |
465 | if (nn < 0 || !maybe_hnok(pvt->res, bp) || nn != n) { | |
466 | RES_SET_H_ERRNO(pvt->res, NO_RECOVERY); | |
467 | return (NULL); | |
468 | --- 390,396 ---- | |
469 | if (class == C_IN && type == T_PTR) { | |
470 | int nn; | |
471 | ||
472 | ! nn = dn_expand(ansbuf, eom, cp, bp, ep - bp); | |
473 | if (nn < 0 || !maybe_hnok(pvt->res, bp) || nn != n) { | |
474 | RES_SET_H_ERRNO(pvt->res, NO_RECOVERY); | |
475 | return (NULL); | |
476 | *************** | |
477 | *** 408,414 **** | |
478 | *ap++ = bp; | |
479 | nn = strlen(bp) + 1; | |
480 | bp += nn; | |
481 | - buflen -= nn; | |
482 | haveanswer++; | |
483 | break; | |
484 | } | |
485 | --- 406,411 ---- | |
486 | *************** | |
487 | *** 419,425 **** | |
488 | sscanf(bp, "%u.%u.%u.%u.in-addr.arpa", | |
489 | &b1, &b2, &b3, &b4) != 4) | |
490 | break; | |
491 | ! if (buflen < INADDRSZ) { | |
492 | RES_SET_H_ERRNO(pvt->res, NO_RECOVERY); | |
493 | return (NULL); | |
494 | } | |
495 | --- 416,422 ---- | |
496 | sscanf(bp, "%u.%u.%u.%u.in-addr.arpa", | |
497 | &b1, &b2, &b3, &b4) != 4) | |
498 | break; | |
499 | ! if ((ep - bp) < INADDRSZ) { | |
500 | RES_SET_H_ERRNO(pvt->res, NO_RECOVERY); | |
501 | return (NULL); | |
502 | } | |
503 | *************** | |
504 | *** 428,434 **** | |
505 | *bp++ = b3; | |
506 | *bp++ = b2; | |
507 | *bp++ = b1; | |
508 | - buflen -= INADDRSZ; | |
509 | pvt->net.n_length = INADDRSZ * 8; | |
510 | haveanswer++; | |
511 | } | |
512 | --- 425,430 ---- |