From patchwork Mon May 2 14:08:31 2016 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Florian Weimer X-Patchwork-Id: 11968 Received: (qmail 40638 invoked by alias); 2 May 2016 14:08:35 -0000 Mailing-List: contact libc-alpha-help@sourceware.org; run by ezmlm Precedence: bulk List-Id: List-Unsubscribe: List-Subscribe: List-Archive: List-Post: List-Help: , Sender: libc-alpha-owner@sourceware.org Delivered-To: mailing list libc-alpha@sourceware.org Received: (qmail 40416 invoked by uid 89); 2 May 2016 14:08:34 -0000 Authentication-Results: sourceware.org; auth=none X-Virus-Found: No X-Spam-SWARE-Status: No, score=-2.9 required=5.0 tests=BAYES_00, RP_MATCHES_RCVD, SPF_HELO_PASS autolearn=ham version=3.3.2 spammy=TXT, 398, 7, 3987, Hx-languages-length:634 X-HELO: mx1.redhat.com Date: Mon, 02 May 2016 16:08:31 +0200 To: libc-alpha@sourceware.org Subject: [PATCH COMMITTED] hesiod: Avoid heap overflow in get_txt_records [BZ #20031] User-Agent: Heirloom mailx 12.5 7/5/10 MIME-Version: 1.0 Message-Id: <20160502140831.B82C040438A23@oldenburg.str.redhat.com> From: fweimer@redhat.com (Florian Weimer) 2016-05-02 Florian Weimer [BZ #20031] * hesiod/hesiod.c (get_txt_records): Return error if TXT record is completely empty. diff --git a/hesiod/hesiod.c b/hesiod/hesiod.c index 6ecbad1..c2925a0 100644 --- a/hesiod/hesiod.c +++ b/hesiod/hesiod.c @@ -398,7 +398,7 @@ get_txt_records(struct hesiod_p *ctx, int class, const char *name) { cp += INT16SZ + INT32SZ; /* skip the ttl, too */ rr.dlen = ns_get16(cp); cp += INT16SZ; - if (cp + rr.dlen > eom) { + if (rr.dlen == 0 || cp + rr.dlen > eom) { __set_errno(EMSGSIZE); goto cleanup; }