From patchwork Fri Mar  8 20:44:49 2019
Content-Type: text/plain; charset="utf-8"
MIME-Version: 1.0
Content-Transfer-Encoding: 7bit
X-Patchwork-Submitter: Florian Weimer <fweimer@redhat.com>
X-Patchwork-Id: 31788
Received: (qmail 18053 invoked by alias); 8 Mar 2019 20:44:53 -0000
Mailing-List: contact libc-alpha-help@sourceware.org; run by ezmlm
Precedence: bulk
List-Id: <libc-alpha.sourceware.org>
List-Unsubscribe: <mailto:libc-alpha-unsubscribe-##L=##H@sourceware.org>
List-Subscribe: <mailto:libc-alpha-subscribe@sourceware.org>
List-Archive: <http://sourceware.org/ml/libc-alpha/>
List-Post: <mailto:libc-alpha@sourceware.org>
List-Help: <mailto:libc-alpha-help@sourceware.org>,
	<http://sourceware.org/ml/#faqs>
Sender: libc-alpha-owner@sourceware.org
Delivered-To: mailing list libc-alpha@sourceware.org
Received: (qmail 18043 invoked by uid 89); 8 Mar 2019 20:44:53 -0000
Authentication-Results: sourceware.org; auth=none
X-Spam-SWARE-Status: No, score=-18.6 required=5.0 tests=AWL, BAYES_00,
	GIT_PATCH_0, GIT_PATCH_1, GIT_PATCH_2, GIT_PATCH_3,
	SPF_HELO_PASS autolearn=ham version=3.3.1 spammy=DNS
X-HELO: mx1.redhat.com
Date: Fri, 08 Mar 2019 21:44:49 +0100
To: libc-alpha@sourceware.org
Subject: [PATCH] nss_dns: Enforce QDCOUNT == 1 in getnetby* implementation
User-Agent: Heirloom mailx 12.5 7/5/10
MIME-Version: 1.0
Message-Id: <20190308204449.3567B80DD6B5@oldenburg2.str.redhat.com>
From: Florian Weimer <fweimer@redhat.com>

The stub resolver sends a query with one question record, so if
the answer contains a different number, the DNS message is
corrupted.

2019-03-08  Florian Weimer  <fweimer@redhat.com>

	* resolv/nss_dns/dns-network.c (getanswer_r): Bail out if question
	count is not one.

diff --git a/resolv/nss_dns/dns-network.c b/resolv/nss_dns/dns-network.c
index 4617b165db..9c0082d270 100644
--- a/resolv/nss_dns/dns-network.c
+++ b/resolv/nss_dns/dns-network.c
@@ -300,34 +300,21 @@ getanswer_r (const querybuf *answer, int anslen, struct netent *result,
   int have_answer;
   u_char packtmp[NS_MAXCDNAME];
 
-  if (question_count == 0)
+  if (question_count != 1)
     {
-      /* FIXME: the Sun version uses for host name lookup an additional
-	 parameter for pointing to h_errno.  this is missing here.
-	 OSF/1 has a per-thread h_errno variable.  */
-      if (header_pointer->aa != 0)
-	{
-	  __set_h_errno (HOST_NOT_FOUND);
-	  return NSS_STATUS_NOTFOUND;
-	}
-      else
-	{
-	  __set_h_errno (TRY_AGAIN);
-	  return NSS_STATUS_TRYAGAIN;
-	}
+    bad_message:
+      *errnop = EBADMSG;
+      __set_h_errno (NO_RECOVERY);
+      return NSS_STATUS_UNAVAIL;
     }
 
   /* Skip the question part.  */
-  while (question_count-- > 0)
-    {
-      int n = __dn_skipname (cp, end_of_message);
-      if (n < 0 || end_of_message - (cp + n) < QFIXEDSZ)
-       {
-         __set_h_errno (NO_RECOVERY);
-         return NSS_STATUS_UNAVAIL;
-       }
-      cp += n + QFIXEDSZ;
-    }
+  {
+    int n = __dn_skipname (cp, end_of_message);
+    if (n < 0 || end_of_message - (cp + n) < QFIXEDSZ)
+      goto bad_message;
+    cp += n + QFIXEDSZ;
+  }
 
   alias_pointer = result->n_aliases = &net_data->aliases[0];
   *alias_pointer = NULL;