From bb9af59bba5b72b90c38d28809c30b31933c64d5 Mon Sep 17 00:00:00 2001 From: Rich Felker Date: Mon, 2 Jun 2014 01:31:28 -0400 Subject: fix off-by-one in checking hostname length in new resolver backend this bug was introduced in the recent resolver overhaul commits. it likely had visible symptoms. these were probably limited to wrongly accepting truncated versions of over-long names (vs rejecting them), as opposed to stack-based overflows or anything more severe, but no extensive checks were made. there have been no releases where this bug was present. --- src/network/lookup_name.c | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) (limited to 'src') diff --git a/src/network/lookup_name.c b/src/network/lookup_name.c index b1f1ffd0..e1b583ee 100644 --- a/src/network/lookup_name.c +++ b/src/network/lookup_name.c @@ -14,7 +14,7 @@ static int is_valid_hostname(const char *host) { const unsigned char *s; - if (strnlen(host, 255)-1 > 254 || mbstowcs(0, host, 0) > 255) return 0; + if (strnlen(host, 256)-1 > 254 || mbstowcs(0, host, 0) > 255) return 0; for (s=(void *)host; *s>=0x80 || *s=='.' || *s=='-' || isalnum(*s); s++); return !*s; } @@ -119,7 +119,7 @@ int __lookup_name(struct address buf[static MAXADDRS], char canon[static 256], c *canon = 0; if (name) { size_t l; - if ((l = strnlen(name, 255))-1 > 254) + if ((l = strnlen(name, 256))-1 > 254) return EAI_NONAME; memcpy(canon, name, l+1); } -- cgit v1.2.1