summaryrefslogtreecommitdiff
path: root/compat/time32
diff options
context:
space:
mode:
authorAlexey Izbyshev <izbyshev@ispras.ru>2023-01-28 00:17:37 +0300
committerRich Felker <dalias@aerifal.cx>2023-02-27 10:01:29 -0500
commit12590c8bbd04ea484cee86812e2258fbdfca0e59 (patch)
tree5f844f3a3ff128794c4bcc0cd73de2f3fadd3a61 /compat/time32
parentbc695a5ac1d7929e5c1ad5297eb47e146cccd157 (diff)
downloadmusl-12590c8bbd04ea484cee86812e2258fbdfca0e59.tar.gz
fix out-of-bounds reads in __dns_parse
There are several issues with range checks in this function: * The question section parsing loop can read up to two out-of-bounds bytes before doing the range check and bailing out. * The answer section parsing loop, in addition to the same issue as above, uses the wrong length in the range check that doesn't prevent OOB reads when computing len later. * The len range check before calling the callback is off by 10. Also, p+len can overflow in a (probably theoretical) case when p is within 2^16 from UINTPTR_MAX. Because __dns_parse is used only with stack-allocated buffers, such small overreads can't result in a segfault. The first two also don't affect the function result, but the last one may result in getaddrinfo incorrectly succeeding and returning up to 10 bytes past the response buffer as a part of the IP address, and in (canon) name returned by getaddrinfo/getnameinfo being affected by memory past the response buffer (because dn_expand might interpret it as a pointer).
Diffstat (limited to 'compat/time32')
0 files changed, 0 insertions, 0 deletions