#define BOUNDED_INCR(x) \
do { \
+ BOUNDS_CHECK(cp, (x)); \
cp += (x); \
- if (cp > eom) { \
- h_errno = NO_RECOVERY; \
- return NULL; \
- } \
} while (/*CONSTCOND*/0)
#define BOUNDS_CHECK(ptr, count) \
do { \
- if ((ptr) + (count) > eom) { \
+ if (eom - (ptr) < (count)) { \
h_errno = NO_RECOVERY; \
return NULL; \
} \
static const char AskedForGot[] =
"gethostby*.getanswer: asked for \"%s\", got \"%s\"";
+#define BOUNDED_INCR(x) \
+ do { \
+ BOUNDS_CHECK(cp, (x)); \
+ cp += (x); \
+ } while (/*CONSTCOND*/0)
+
+#define BOUNDS_CHECK(ptr, count) \
+ do { \
+ if (eom - (ptr) < (count)) { h_errno = NO_RECOVERY; return NULL; } \
+ } while (/*CONSTCOND*/0)
+
static struct addrinfo *
getanswer(const querybuf *answer, int anslen, const char *qname, int qtype,
const struct addrinfo *pai)
qdcount = ntohs(hp->qdcount);
bp = hostbuf;
ep = hostbuf + sizeof hostbuf;
- cp = answer->buf + HFIXEDSZ;
+ cp = answer->buf;
+ BOUNDED_INCR(HFIXEDSZ);
if (qdcount != 1) {
h_errno = NO_RECOVERY;
return (NULL);
h_errno = NO_RECOVERY;
return (NULL);
}
- cp += n + QFIXEDSZ;
+ BOUNDED_INCR(n + QFIXEDSZ);
if (qtype == T_A || qtype == T_AAAA || qtype == T_ANY) {
/* res_send() has already verified that the query name is the
* same as the one we sent; this just gets the expanded name
continue;
}
cp += n; /* name */
+ BOUNDS_CHECK(cp, 3 * INT16SZ + INT32SZ);
type = _getshort(cp);
cp += INT16SZ; /* type */
class = _getshort(cp);
cp += INT16SZ + INT32SZ; /* class, TTL */
n = _getshort(cp);
cp += INT16SZ; /* len */
+ BOUNDS_CHECK(cp, n);
if (class != C_IN) {
/* XXX - debug? syslog? */
cp += n;