[packages/bind.git] / bind-sec-from-833.patch

Index: bind8/src/lib/irs/dns_ho.c
diff -c bind8/src/lib/irs/dns_ho.c:1.36 bind8/src/lib/irs/dns_ho.c:1.39
*** bind8/src/lib/irs/dns_ho.c:1.36	Thu May 30 23:05:30 2002
--- bind8/src/lib/irs/dns_ho.c	Wed Jun 26 20:56:32 2002
***************
*** 74,79 ****
--- 74,80 ----
  #include <resolv.h>
  #include <stdio.h>
  #include <string.h>
+ #include <syslog.h>
  
  #include <isc/memcluster.h>
  #include <irs.h>
***************
*** 161,167 ****
  				     const struct addrinfo *pai);
  
  static void		map_v4v6_hostent(struct hostent *hp, char **bp,
! 					 int *len);
  static void		addrsort(res_state, char **, int);
  static struct hostent *	gethostans(struct irs_ho *this,
  				   const u_char *ansbuf, int anslen,
--- 162,168 ----
  				     const struct addrinfo *pai);
  
  static void		map_v4v6_hostent(struct hostent *hp, char **bp,
! 					 char *ep);
  static void		addrsort(res_state, char **, int);
  static struct hostent *	gethostans(struct irs_ho *this,
  				   const u_char *ansbuf, int anslen,
***************
*** 1079,1085 ****
  	   struct addrinfo **ret_aip, const struct addrinfo *pai)
  {
  	struct pvt *pvt = (struct pvt *)this->private;
! 	int type, class, buflen, ancount, qdcount, n, haveanswer, had_error;
  	int error = NETDB_SUCCESS, arcount;
  	int (*name_ok)(const char *);
  	const HEADER *hp;
--- 1080,1086 ----
  	   struct addrinfo **ret_aip, const struct addrinfo *pai)
  {
  	struct pvt *pvt = (struct pvt *)this->private;
! 	int type, class, ancount, qdcount, n, haveanswer, had_error;
  	int error = NETDB_SUCCESS, arcount;
  	int (*name_ok)(const char *);
  	const HEADER *hp;
***************
*** 1088,1094 ****
  	const u_char *cp;
  	const char *tname;
  	const char *hname;
! 	char *bp, **ap, **hap;
  	char tbuf[MAXDNAME+1];
  	struct addrinfo sentinel, *cur, ai;
  	const u_char *arp = NULL;
--- 1089,1095 ----
  	const u_char *cp;
  	const char *tname;
  	const char *hname;
! 	char *bp, *ep, **ap, **hap;
  	char tbuf[MAXDNAME+1];
  	struct addrinfo sentinel, *cur, ai;
  	const u_char *arp = NULL;
***************
*** 1131,1143 ****
  	qdcount = ntohs(hp->qdcount);
  	arcount = ntohs(hp->arcount);
  	bp = pvt->hostbuf;
! 	buflen = sizeof pvt->hostbuf;
  	cp = ansbuf + HFIXEDSZ;
  	if (qdcount != 1) {
  		RES_SET_H_ERRNO(pvt->res, NO_RECOVERY);
  		return (NULL);
  	}
! 	n = dn_expand(ansbuf, eom, cp, bp, buflen);
  	if (n < 0 || !maybe_ok(pvt->res, bp, name_ok)) {
  		RES_SET_H_ERRNO(pvt->res, NO_RECOVERY);
  		return (NULL);
--- 1132,1144 ----
  	qdcount = ntohs(hp->qdcount);
  	arcount = ntohs(hp->arcount);
  	bp = pvt->hostbuf;
! 	ep = pvt->hostbuf + sizeof(pvt->hostbuf);
  	cp = ansbuf + HFIXEDSZ;
  	if (qdcount != 1) {
  		RES_SET_H_ERRNO(pvt->res, NO_RECOVERY);
  		return (NULL);
  	}
! 	n = dn_expand(ansbuf, eom, cp, bp, ep - bp);
  	if (n < 0 || !maybe_ok(pvt->res, bp, name_ok)) {
  		RES_SET_H_ERRNO(pvt->res, NO_RECOVERY);
  		return (NULL);
***************
*** 1161,1167 ****
  		pvt->host.h_name = bp;
  		hname = bp;
  		bp += n;
- 		buflen -= n;
  		/* The qname can be abbreviated, but hname is now absolute. */
  		qname = pvt->host.h_name;
  	}
--- 1162,1167 ----
***************
*** 1174,1180 ****
  	haveanswer = 0;
  	had_error = 0;
  	while (ancount-- > 0 && cp < eom && !had_error) {
! 		n = dn_expand(ansbuf, eom, cp, bp, buflen);
  		if (n < 0 || !maybe_ok(pvt->res, bp, name_ok)) {
  			had_error++;
  			continue;
--- 1174,1180 ----
  	haveanswer = 0;
  	had_error = 0;
  	while (ancount-- > 0 && cp < eom && !had_error) {
! 		n = dn_expand(ansbuf, eom, cp, bp, ep - bp);
  		if (n < 0 || !maybe_ok(pvt->res, bp, name_ok)) {
  			had_error++;
  			continue;
***************
*** 1195,1200 ****
--- 1195,1209 ----
  		eor = cp + n;
  		if ((qtype == T_A || qtype == T_AAAA || qtype == ns_t_a6 ||
  		     qtype == T_ANY) && type == T_CNAME) {
+ 			if (haveanswer) {
+ 				int level = LOG_CRIT;
+ #ifdef LOG_SECURITY
+ 				level |= LOG_SECURITY;
+ #endif
+ 				syslog(level,
+  "gethostans: possible attempt to exploit buffer overflow while looking up %s",
+ 					*qname ? qname : ".");
+ 			}
  			if (ap >= &pvt->host_aliases[MAXALIASES-1])
  				continue;
  			n = dn_expand(ansbuf, eor, cp, tbuf, sizeof tbuf);
***************
*** 1207,1216 ****
  			*ap++ = bp;
  			n = strlen(bp) + 1;	/* for the \0 */
  			bp += n;
- 			buflen -= n;
  			/* Get canonical name. */
  			n = strlen(tbuf) + 1;	/* for the \0 */
! 			if (n > buflen || n > MAXHOSTNAMELEN) {
  				had_error++;
  				continue;
  			}
--- 1216,1224 ----
  			*ap++ = bp;
  			n = strlen(bp) + 1;	/* for the \0 */
  			bp += n;
  			/* Get canonical name. */
  			n = strlen(tbuf) + 1;	/* for the \0 */
! 			if (n > (ep - bp) || n > MAXHOSTNAMELEN) {
  				had_error++;
  				continue;
  			}
***************
*** 1218,1224 ****
  			pvt->host.h_name = bp;
  			hname = bp;
  			bp += n;
- 			buflen -= n;
  			continue;
  		}
  		if (type == ns_t_dname) {
--- 1226,1231 ----
***************
*** 1254,1260 ****
  			cp += n;
  
  			n = strlen(t) + 1; /* for the \0 */
! 			if (n > buflen) {
  				had_error++;
  				continue;
  			}
--- 1261,1267 ----
  			cp += n;
  
  			n = strlen(t) + 1; /* for the \0 */
! 			if (n > (ep - bp)) {
  				had_error++;
  				continue;
  			}
***************
*** 1264,1270 ****
  			else
  				hname = bp;
  			bp += n;
- 			buflen -= n;
  
  			continue;
  		}
--- 1271,1276 ----
***************
*** 1290,1303 ****
  			}
  			/* Get canonical name. */
  			n = strlen(tbuf) + 1;	/* for the \0 */
! 			if (n > buflen) {
  				had_error++;
  				continue;
  			}
  			strcpy(bp, tbuf);
  			tname = bp;
  			bp += n;
- 			buflen -= n;
  			continue;
  		}
  		if (qtype == T_ANY) {
--- 1296,1308 ----
  			}
  			/* Get canonical name. */
  			n = strlen(tbuf) + 1;	/* for the \0 */
! 			if (n > (ep - bp)) {
  				had_error++;
  				continue;
  			}
  			strcpy(bp, tbuf);
  			tname = bp;
  			bp += n;
  			continue;
  		}
  		if (qtype == T_ANY) {
***************
*** 1321,1327 ****
  				cp += n;
  				continue;
  			}
! 			n = dn_expand(ansbuf, eor, cp, bp, buflen);
  			if (n < 0 || !maybe_hnok(pvt->res, bp) ||
  			    n >= MAXHOSTNAMELEN) {
  				had_error++;
--- 1326,1332 ----
  				cp += n;
  				continue;
  			}
! 			n = dn_expand(ansbuf, eor, cp, bp, ep - bp);
  			if (n < 0 || !maybe_hnok(pvt->res, bp) ||
  			    n >= MAXHOSTNAMELEN) {
  				had_error++;
***************
*** 1339,1345 ****
  			if (n != -1) {
  				n = strlen(bp) + 1;	/* for the \0 */
  				bp += n;
- 				buflen -= n;
  			}
  			break;
  		case ns_t_a6: {
--- 1344,1349 ----
***************
*** 1439,1445 ****
  				pvt->host.h_name = bp;
  				hname = bp;
  				bp += nn;
- 				buflen -= nn;
  			}
  			/* Ensure alignment. */
  			bp = (char *)(((u_long)bp + (sizeof(align) - 1)) &
--- 1443,1448 ----
***************
*** 1493,1507 ****
  					 haveanswer);
  			if (pvt->host.h_name == NULL) {
  				n = strlen(qname) + 1;	/* for the \0 */
! 				if (n > buflen || n >= MAXHOSTNAMELEN)
  					goto no_recovery;
  				strcpy(bp, qname);
  				pvt->host.h_name = bp;
  				bp += n;
- 				buflen -= n;
  			}
  			if (pvt->res->options & RES_USE_INET6)
! 				map_v4v6_hostent(&pvt->host, &bp, &buflen);
  			RES_SET_H_ERRNO(pvt->res, NETDB_SUCCESS);
  			return (&pvt->host);
  		} else {
--- 1496,1509 ----
  					 haveanswer);
  			if (pvt->host.h_name == NULL) {
  				n = strlen(qname) + 1;	/* for the \0 */
! 				if (n > (ep - bp) || n >= MAXHOSTNAMELEN)
  					goto no_recovery;
  				strcpy(bp, qname);
  				pvt->host.h_name = bp;
  				bp += n;
  			}
  			if (pvt->res->options & RES_USE_INET6)
! 				map_v4v6_hostent(&pvt->host, &bp, ep);
  			RES_SET_H_ERRNO(pvt->res, NETDB_SUCCESS);
  			return (&pvt->host);
  		} else {
***************
*** 1575,1581 ****
  }
  
  static void
! map_v4v6_hostent(struct hostent *hp, char **bpp, int *lenp) {
  	char **ap;
  
  	if (hp->h_addrtype != AF_INET || hp->h_length != INADDRSZ)
--- 1577,1583 ----
  }
  
  static void
! map_v4v6_hostent(struct hostent *hp, char **bpp, char *ep) {
  	char **ap;
  
  	if (hp->h_addrtype != AF_INET || hp->h_length != INADDRSZ)
***************
*** 1588,1604 ****
  		if (i != 0)
  			i = sizeof(align) - i;
  
! 		if (*lenp < (i + IN6ADDRSZ)) {
  			/* Out of memory.  Truncate address list here. */
  			*ap = NULL;
  			return;
  		}
  		*bpp += i;
- 		*lenp -= i;
  		map_v4v6_address(*ap, *bpp);
  		*ap = *bpp;
  		*bpp += IN6ADDRSZ;
- 		*lenp -= IN6ADDRSZ;
  	}
  }
  
--- 1590,1604 ----
  		if (i != 0)
  			i = sizeof(align) - i;
  
! 		if ((ep - *bpp) < (i + IN6ADDRSZ)) {
  			/* Out of memory.  Truncate address list here. */
  			*ap = NULL;
  			return;
  		}
  		*bpp += i;
  		map_v4v6_address(*ap, *bpp);
  		*ap = *bpp;
  		*bpp += IN6ADDRSZ;
  	}
  }
  
Index: bind8/src/lib/irs/dns_nw.c
diff -c bind8/src/lib/irs/dns_nw.c:1.22 bind8/src/lib/irs/dns_nw.c:1.23
*** bind8/src/lib/irs/dns_nw.c:1.22	Tue Feb 26 19:50:10 2002
--- bind8/src/lib/irs/dns_nw.c	Wed Jun 26 00:42:06 2002
***************
*** 299,306 ****
  	      int af, const char *name, const u_char *addr, int addrlen)
  {
  	struct pvt *pvt = (struct pvt *)this->private;
! 	int type, class, buflen, ancount, qdcount, haveanswer;
! 	char *bp, **ap;
  	u_char *cp, *eom;
  	HEADER *hp;
  
--- 299,306 ----
  	      int af, const char *name, const u_char *addr, int addrlen)
  {
  	struct pvt *pvt = (struct pvt *)this->private;
! 	int type, class, ancount, qdcount, haveanswer;
! 	char *bp, *ep, **ap;
  	u_char *cp, *eom;
  	HEADER *hp;
  
***************
*** 332,338 ****
  
  	/* Prepare a return structure. */
  	bp = pvt->buf;
! 	buflen = sizeof pvt->buf;
  	pvt->net.n_name = NULL;
  	pvt->net.n_aliases = pvt->ali;
  	pvt->net.n_addrtype = af;
--- 332,338 ----
  
  	/* Prepare a return structure. */
  	bp = pvt->buf;
! 	ep = pvt->buf + sizeof(pvt->buf);
  	pvt->net.n_name = NULL;
  	pvt->net.n_aliases = pvt->ali;
  	pvt->net.n_addrtype = af;
***************
*** 345,364 ****
  		if (name != NULL) {
  			int n = strlen(name) + 1;
  
! 			if (n > buflen) {
  				RES_SET_H_ERRNO(pvt->res, NO_RECOVERY);
  				return (NULL);
  			}
  			pvt->net.n_name = strcpy(bp, name);
  			bp += n;
- 			buflen -= n;
  		}
  		break;
  	case by_addr:
  		if (addr != NULL && addrlen != 0) {
  			int n = addrlen / 8 + ((addrlen % 8) != 0);
  
! 			if (INADDRSZ > buflen) {
  				RES_SET_H_ERRNO(pvt->res, NO_RECOVERY);
  				return (NULL);
  			}
--- 345,363 ----
  		if (name != NULL) {
  			int n = strlen(name) + 1;
  
! 			if (n > (ep - bp)) {
  				RES_SET_H_ERRNO(pvt->res, NO_RECOVERY);
  				return (NULL);
  			}
  			pvt->net.n_name = strcpy(bp, name);
  			bp += n;
  		}
  		break;
  	case by_addr:
  		if (addr != NULL && addrlen != 0) {
  			int n = addrlen / 8 + ((addrlen % 8) != 0);
  
! 			if (INADDRSZ > (ep - bp)) {
  				RES_SET_H_ERRNO(pvt->res, NO_RECOVERY);
  				return (NULL);
  			}
***************
*** 366,372 ****
  			memcpy(bp, addr, n);
  			pvt->net.n_addr = bp;
  			bp += INADDRSZ;
- 			buflen -= INADDRSZ;
  		}
  		break;
  	default:
--- 365,370 ----
***************
*** 377,383 ****
  	ap = pvt->ali;
  	haveanswer = 0;
  	while (--ancount >= 0 && cp < eom) {
! 		int n = dn_expand(ansbuf, eom, cp, bp, buflen);
  
  		cp += n;		/* Owner */
  		if (n < 0 || !maybe_dnok(pvt->res, bp) ||
--- 375,381 ----
  	ap = pvt->ali;
  	haveanswer = 0;
  	while (--ancount >= 0 && cp < eom) {
! 		int n = dn_expand(ansbuf, eom, cp, bp, ep - bp);
  
  		cp += n;		/* Owner */
  		if (n < 0 || !maybe_dnok(pvt->res, bp) ||
***************
*** 392,398 ****
  		if (class == C_IN && type == T_PTR) {
  			int nn;
  
! 			nn = dn_expand(ansbuf, eom, cp, bp, buflen);
  			if (nn < 0 || !maybe_hnok(pvt->res, bp) || nn != n) {
  				RES_SET_H_ERRNO(pvt->res, NO_RECOVERY);
  				return (NULL);
--- 390,396 ----
  		if (class == C_IN && type == T_PTR) {
  			int nn;
  
! 			nn = dn_expand(ansbuf, eom, cp, bp, ep - bp);
  			if (nn < 0 || !maybe_hnok(pvt->res, bp) || nn != n) {
  				RES_SET_H_ERRNO(pvt->res, NO_RECOVERY);
  				return (NULL);
***************
*** 408,414 ****
  					*ap++ = bp;
  				nn = strlen(bp) + 1;
  				bp += nn;
- 				buflen -= nn;
  				haveanswer++;
  				break;
  			    }
--- 406,411 ----
***************
*** 419,425 ****
  				    sscanf(bp, "%u.%u.%u.%u.in-addr.arpa",
  					   &b1, &b2, &b3, &b4) != 4)
  					break;
! 				if (buflen < INADDRSZ) {
  					RES_SET_H_ERRNO(pvt->res, NO_RECOVERY);
  					return (NULL);
  				}
--- 416,422 ----
  				    sscanf(bp, "%u.%u.%u.%u.in-addr.arpa",
  					   &b1, &b2, &b3, &b4) != 4)
  					break;
! 				if ((ep - bp) < INADDRSZ) {
  					RES_SET_H_ERRNO(pvt->res, NO_RECOVERY);
  					return (NULL);
  				}
***************
*** 428,434 ****
  				*bp++ = b3;
  				*bp++ = b2;
  				*bp++ = b1;
- 				buflen -= INADDRSZ;
  				pvt->net.n_length = INADDRSZ * 8;
  				haveanswer++;
  			    }
--- 425,430 ----
Commit	Line	Data
f549e3c5 JB	1	Index: bind8/src/lib/irs/dns_ho.c
	2	diff -c bind8/src/lib/irs/dns_ho.c:1.36 bind8/src/lib/irs/dns_ho.c:1.39
	3	*** bind8/src/lib/irs/dns_ho.c:1.36 Thu May 30 23:05:30 2002
	4	--- bind8/src/lib/irs/dns_ho.c Wed Jun 26 20:56:32 2002
	5	***************
	6	* 74,79 **
	7	--- 74,80 ----
	8	#include <resolv.h>
	9	#include <stdio.h>
	10	#include <string.h>
	11	+ #include <syslog.h>
	12
	13	#include <isc/memcluster.h>
	14	#include <irs.h>
	15	***************
	16	* 161,167 **
	17	const struct addrinfo *pai);
	18
	19	static void map_v4v6_hostent(struct hostent hp, char *bp,
	20	! int *len);
	21	static void addrsort(res_state, char **, int);
	22	static struct hostent * gethostans(struct irs_ho *this,
	23	const u_char *ansbuf, int anslen,
	24	--- 162,168 ----
	25	const struct addrinfo *pai);
	26
	27	static void map_v4v6_hostent(struct hostent hp, char *bp,
	28	! char *ep);
	29	static void addrsort(res_state, char **, int);
	30	static struct hostent * gethostans(struct irs_ho *this,
	31	const u_char *ansbuf, int anslen,
	32	***************
	33	* 1079,1085 **
	34	struct addrinfo *ret_aip, const struct addrinfo pai)
	35	{
	36	struct pvt pvt = (struct pvt )this->private;
	37	! int type, class, buflen, ancount, qdcount, n, haveanswer, had_error;
	38	int error = NETDB_SUCCESS, arcount;
	39	int (name_ok)(const char );
	40	const HEADER *hp;
	41	--- 1080,1086 ----
	42	struct addrinfo *ret_aip, const struct addrinfo pai)
	43	{
	44	struct pvt pvt = (struct pvt )this->private;
	45	! int type, class, ancount, qdcount, n, haveanswer, had_error;
	46	int error = NETDB_SUCCESS, arcount;
	47	int (name_ok)(const char );
	48	const HEADER *hp;
	49	***************
	50	* 1088,1094 **
	51	const u_char *cp;
	52	const char *tname;
	53	const char *hname;
	54	! char bp, ap, *hap;
	55	char tbuf[MAXDNAME+1];
	56	struct addrinfo sentinel, *cur, ai;
	57	const u_char *arp = NULL;
	58	--- 1089,1095 ----
	59	const u_char *cp;
	60	const char *tname;
	61	const char *hname;
	62	! char bp, ep, ap, hap;
	63	char tbuf[MAXDNAME+1];
	64	struct addrinfo sentinel, *cur, ai;
65	const u_char *arp = NULL;
66	***************
67	* 1131,1143 **
68	qdcount = ntohs(hp->qdcount);
69	arcount = ntohs(hp->arcount);
70	bp = pvt->hostbuf;
71	! buflen = sizeof pvt->hostbuf;
72	cp = ansbuf + HFIXEDSZ;
73	if (qdcount != 1) {
74	RES_SET_H_ERRNO(pvt->res, NO_RECOVERY);
75	return (NULL);
76	}
77	! n = dn_expand(ansbuf, eom, cp, bp, buflen);
78	if (n < 0 \|\| !maybe_ok(pvt->res, bp, name_ok)) {
79	RES_SET_H_ERRNO(pvt->res, NO_RECOVERY);
80	return (NULL);
81	--- 1132,1144 ----
82	qdcount = ntohs(hp->qdcount);
83	arcount = ntohs(hp->arcount);
84	bp = pvt->hostbuf;
85	! ep = pvt->hostbuf + sizeof(pvt->hostbuf);
86	cp = ansbuf + HFIXEDSZ;
87	if (qdcount != 1) {
88	RES_SET_H_ERRNO(pvt->res, NO_RECOVERY);
89	return (NULL);
90	}
91	! n = dn_expand(ansbuf, eom, cp, bp, ep - bp);
92	if (n < 0 \|\| !maybe_ok(pvt->res, bp, name_ok)) {
93	RES_SET_H_ERRNO(pvt->res, NO_RECOVERY);
94	return (NULL);
95	***************
96	* 1161,1167 **
97	pvt->host.h_name = bp;
98	hname = bp;
99	bp += n;
100	- buflen -= n;
101	/* The qname can be abbreviated, but hname is now absolute. */
102	qname = pvt->host.h_name;
103	}
104	--- 1162,1167 ----
105	***************
106	* 1174,1180 **
107	haveanswer = 0;
108	had_error = 0;
109	while (ancount-- > 0 && cp < eom && !had_error) {
110	! n = dn_expand(ansbuf, eom, cp, bp, buflen);
111	if (n < 0 \|\| !maybe_ok(pvt->res, bp, name_ok)) {
112	had_error++;
113	continue;
114	--- 1174,1180 ----
115	haveanswer = 0;
116	had_error = 0;
117	while (ancount-- > 0 && cp < eom && !had_error) {
118	! n = dn_expand(ansbuf, eom, cp, bp, ep - bp);
119	if (n < 0 \|\| !maybe_ok(pvt->res, bp, name_ok)) {
120	had_error++;
121	continue;
122	***************
123	* 1195,1200 **
124	--- 1195,1209 ----
125	eor = cp + n;
126	if ((qtype == T_A \|\| qtype == T_AAAA \|\| qtype == ns_t_a6 \|\|
127	qtype == T_ANY) && type == T_CNAME) {
128	+ if (haveanswer) {
129	+ int level = LOG_CRIT;
130	+ #ifdef LOG_SECURITY
131	+ level \|= LOG_SECURITY;
132	+ #endif
133	+ syslog(level,
134	+ "gethostans: possible attempt to exploit buffer overflow while looking up %s",
135	+ *qname ? qname : ".");
136	+ }
137	if (ap >= &pvt->host_aliases[MAXALIASES-1])
138	continue;
139	n = dn_expand(ansbuf, eor, cp, tbuf, sizeof tbuf);
140	***************
141	* 1207,1216 **
142	*ap++ = bp;
143	n = strlen(bp) + 1; /* for the \0 */
144	bp += n;
145	- buflen -= n;
146	/* Get canonical name. */
147	n = strlen(tbuf) + 1; /* for the \0 */
148	! if (n > buflen \|\| n > MAXHOSTNAMELEN) {
149	had_error++;
150	continue;
151	}
152	--- 1216,1224 ----
153	*ap++ = bp;
154	n = strlen(bp) + 1; /* for the \0 */
155	bp += n;
156	/* Get canonical name. */
157	n = strlen(tbuf) + 1; /* for the \0 */
158	! if (n > (ep - bp) \|\| n > MAXHOSTNAMELEN) {
159	had_error++;
160	continue;
161	}
162	***************
163	* 1218,1224 **
164	pvt->host.h_name = bp;
165	hname = bp;
166	bp += n;
167	- buflen -= n;
168	continue;
169	}
170	if (type == ns_t_dname) {
171	--- 1226,1231 ----
172	***************
173	* 1254,1260 **
174	cp += n;
175
176	n = strlen(t) + 1; /* for the \0 */
177	! if (n > buflen) {
178	had_error++;
179	continue;
180	}
181	--- 1261,1267 ----
182	cp += n;
183
184	n = strlen(t) + 1; /* for the \0 */
185	! if (n > (ep - bp)) {
186	had_error++;
187	continue;
188	}
189	***************
190	* 1264,1270 **
191	else
192	hname = bp;
193	bp += n;
194	- buflen -= n;
195
196	continue;
197	}
198	--- 1271,1276 ----
199	***************
200	* 1290,1303 **
201	}
202	/* Get canonical name. */
203	n = strlen(tbuf) + 1; /* for the \0 */
204	! if (n > buflen) {
205	had_error++;
206	continue;
207	}
208	strcpy(bp, tbuf);
209	tname = bp;
210	bp += n;
211	- buflen -= n;
212	continue;
213	}
214	if (qtype == T_ANY) {
215	--- 1296,1308 ----
216	}
217	/* Get canonical name. */
218	n = strlen(tbuf) + 1; /* for the \0 */
219	! if (n > (ep - bp)) {
220	had_error++;
221	continue;
222	}
223	strcpy(bp, tbuf);
224	tname = bp;
225	bp += n;
226	continue;
227	}
228	if (qtype == T_ANY) {
229	***************
230	* 1321,1327 **
231	cp += n;
232	continue;
233	}
234	! n = dn_expand(ansbuf, eor, cp, bp, buflen);
235	if (n < 0 \|\| !maybe_hnok(pvt->res, bp) \|\|
236	n >= MAXHOSTNAMELEN) {
237	had_error++;
238	--- 1326,1332 ----
239	cp += n;
240	continue;
241	}
242	! n = dn_expand(ansbuf, eor, cp, bp, ep - bp);
243	if (n < 0 \|\| !maybe_hnok(pvt->res, bp) \|\|
244	n >= MAXHOSTNAMELEN) {
245	had_error++;
246	***************
247	* 1339,1345 **
248	if (n != -1) {
249	n = strlen(bp) + 1; /* for the \0 */
250	bp += n;
251	- buflen -= n;
252	}
253	break;
254	case ns_t_a6: {
255	--- 1344,1349 ----
256	***************
257	* 1439,1445 **
258	pvt->host.h_name = bp;
259	hname = bp;
260	bp += nn;
261	- buflen -= nn;
262	}
263	/* Ensure alignment. */
264	bp = (char *)(((u_long)bp + (sizeof(align) - 1)) &
265	--- 1443,1448 ----
266	***************
267	* 1493,1507 **
268	haveanswer);
269	if (pvt->host.h_name == NULL) {
270	n = strlen(qname) + 1; /* for the \0 */
271	! if (n > buflen \|\| n >= MAXHOSTNAMELEN)
272	goto no_recovery;
273	strcpy(bp, qname);
274	pvt->host.h_name = bp;
275	bp += n;
276	- buflen -= n;
277	}
278	if (pvt->res->options & RES_USE_INET6)
279	! map_v4v6_hostent(&pvt->host, &bp, &buflen);
280	RES_SET_H_ERRNO(pvt->res, NETDB_SUCCESS);
281	return (&pvt->host);
282	} else {
283	--- 1496,1509 ----
284	haveanswer);
285	if (pvt->host.h_name == NULL) {
286	n = strlen(qname) + 1; /* for the \0 */
287	! if (n > (ep - bp) \|\| n >= MAXHOSTNAMELEN)
288	goto no_recovery;
289	strcpy(bp, qname);
290	pvt->host.h_name = bp;
291	bp += n;
292	}
293	if (pvt->res->options & RES_USE_INET6)
294	! map_v4v6_hostent(&pvt->host, &bp, ep);
295	RES_SET_H_ERRNO(pvt->res, NETDB_SUCCESS);
296	return (&pvt->host);
297	} else {
298	***************
299	* 1575,1581 **
300	}
301
302	static void
303	! map_v4v6_hostent(struct hostent hp, char bpp, int lenp) {
304	char **ap;
305
306	if (hp->h_addrtype != AF_INET \|\| hp->h_length != INADDRSZ)
307	--- 1577,1583 ----
308	}
309
310	static void
311	! map_v4v6_hostent(struct hostent hp, char bpp, char ep) {
312	char **ap;
313
314	if (hp->h_addrtype != AF_INET \|\| hp->h_length != INADDRSZ)
315	***************
316	* 1588,1604 **
317	if (i != 0)
318	i = sizeof(align) - i;
319
320	! if (*lenp < (i + IN6ADDRSZ)) {
321	/* Out of memory. Truncate address list here. */
322	*ap = NULL;
323	return;
324	}
325	*bpp += i;
326	- *lenp -= i;
327	map_v4v6_address(ap, bpp);
328	ap = bpp;
329	*bpp += IN6ADDRSZ;
330	- *lenp -= IN6ADDRSZ;
331	}
332	}
333
334	--- 1590,1604 ----
335	if (i != 0)
336	i = sizeof(align) - i;
337
338	! if ((ep - *bpp) < (i + IN6ADDRSZ)) {
339	/* Out of memory. Truncate address list here. */
340	*ap = NULL;
341	return;
342	}
343	*bpp += i;
344	map_v4v6_address(ap, bpp);
345	ap = bpp;
346	*bpp += IN6ADDRSZ;
347	}
348	}
349
350	Index: bind8/src/lib/irs/dns_nw.c
351	diff -c bind8/src/lib/irs/dns_nw.c:1.22 bind8/src/lib/irs/dns_nw.c:1.23
352	*** bind8/src/lib/irs/dns_nw.c:1.22 Tue Feb 26 19:50:10 2002
353	--- bind8/src/lib/irs/dns_nw.c Wed Jun 26 00:42:06 2002
354	***************
355	* 299,306 **
356	int af, const char name, const u_char addr, int addrlen)
357	{
358	struct pvt pvt = (struct pvt )this->private;
359	! int type, class, buflen, ancount, qdcount, haveanswer;
360	! char bp, *ap;
361	u_char cp, eom;
362	HEADER *hp;
363
364	--- 299,306 ----
365	int af, const char name, const u_char addr, int addrlen)
366	{
367	struct pvt pvt = (struct pvt )this->private;
368	! int type, class, ancount, qdcount, haveanswer;
369	! char bp, ep, **ap;
370	u_char cp, eom;
371	HEADER *hp;
372
373	***************
374	* 332,338 **
375
376	/* Prepare a return structure. */
377	bp = pvt->buf;
378	! buflen = sizeof pvt->buf;
379	pvt->net.n_name = NULL;
380	pvt->net.n_aliases = pvt->ali;
381	pvt->net.n_addrtype = af;
382	--- 332,338 ----
383
384	/* Prepare a return structure. */
385	bp = pvt->buf;
386	! ep = pvt->buf + sizeof(pvt->buf);
387	pvt->net.n_name = NULL;
388	pvt->net.n_aliases = pvt->ali;
389	pvt->net.n_addrtype = af;
390	***************
391	* 345,364 **
392	if (name != NULL) {
393	int n = strlen(name) + 1;
394
395	! if (n > buflen) {
396	RES_SET_H_ERRNO(pvt->res, NO_RECOVERY);
397	return (NULL);
398	}
399	pvt->net.n_name = strcpy(bp, name);
400	bp += n;
401	- buflen -= n;
402	}
403	break;
404	case by_addr:
405	if (addr != NULL && addrlen != 0) {
406	int n = addrlen / 8 + ((addrlen % 8) != 0);
407
408	! if (INADDRSZ > buflen) {
409	RES_SET_H_ERRNO(pvt->res, NO_RECOVERY);
410	return (NULL);
411	}
412	--- 345,363 ----
413	if (name != NULL) {
414	int n = strlen(name) + 1;
415
416	! if (n > (ep - bp)) {
417	RES_SET_H_ERRNO(pvt->res, NO_RECOVERY);
418	return (NULL);
419	}
420	pvt->net.n_name = strcpy(bp, name);
421	bp += n;
422	}
423	break;
424	case by_addr:
425	if (addr != NULL && addrlen != 0) {
426	int n = addrlen / 8 + ((addrlen % 8) != 0);
427
428	! if (INADDRSZ > (ep - bp)) {
429	RES_SET_H_ERRNO(pvt->res, NO_RECOVERY);
430	return (NULL);
431	}
432	***************
433	* 366,372 **
434	memcpy(bp, addr, n);
435	pvt->net.n_addr = bp;
436	bp += INADDRSZ;
437	- buflen -= INADDRSZ;
438	}
439	break;
440	default:
441	--- 365,370 ----
442	***************
443	* 377,383 **
444	ap = pvt->ali;
445	haveanswer = 0;
446	while (--ancount >= 0 && cp < eom) {
447	! int n = dn_expand(ansbuf, eom, cp, bp, buflen);
448
449	cp += n; /* Owner */
450	if (n < 0 \|\| !maybe_dnok(pvt->res, bp) \|\|
451	--- 375,381 ----
452	ap = pvt->ali;
453	haveanswer = 0;
454	while (--ancount >= 0 && cp < eom) {
455	! int n = dn_expand(ansbuf, eom, cp, bp, ep - bp);
456
457	cp += n; /* Owner */
458	if (n < 0 \|\| !maybe_dnok(pvt->res, bp) \|\|
459	***************
460	* 392,398 **
461	if (class == C_IN && type == T_PTR) {
462	int nn;
463
464	! nn = dn_expand(ansbuf, eom, cp, bp, buflen);
465	if (nn < 0 \|\| !maybe_hnok(pvt->res, bp) \|\| nn != n) {
466	RES_SET_H_ERRNO(pvt->res, NO_RECOVERY);
467	return (NULL);
468	--- 390,396 ----
469	if (class == C_IN && type == T_PTR) {
470	int nn;
471
472	! nn = dn_expand(ansbuf, eom, cp, bp, ep - bp);
473	if (nn < 0 \|\| !maybe_hnok(pvt->res, bp) \|\| nn != n) {
474	RES_SET_H_ERRNO(pvt->res, NO_RECOVERY);
475	return (NULL);
476	***************
477	* 408,414 **
478	*ap++ = bp;
479	nn = strlen(bp) + 1;
480	bp += nn;
481	- buflen -= nn;
482	haveanswer++;
483	break;
484	}
485	--- 406,411 ----
486	***************
487	* 419,425 **
488	sscanf(bp, "%u.%u.%u.%u.in-addr.arpa",
489	&b1, &b2, &b3, &b4) != 4)
490	break;
491	! if (buflen < INADDRSZ) {
492	RES_SET_H_ERRNO(pvt->res, NO_RECOVERY);
493	return (NULL);
494	}
495	--- 416,422 ----
496	sscanf(bp, "%u.%u.%u.%u.in-addr.arpa",
497	&b1, &b2, &b3, &b4) != 4)
498	break;
499	! if ((ep - bp) < INADDRSZ) {
500	RES_SET_H_ERRNO(pvt->res, NO_RECOVERY);
501	return (NULL);
502	}
503	***************
504	* 428,434 **
505	*bp++ = b3;
506	*bp++ = b2;
507	*bp++ = b1;
508	- buflen -= INADDRSZ;
509	pvt->net.n_length = INADDRSZ * 8;
510	haveanswer++;
511	}
512	--- 425,430 ----