From 1ca597551bab424a1302938dd3504ddf73904efd Mon Sep 17 00:00:00 2001
From: Rich Felker <dalias@aerifal.cx>
Date: Tue, 11 Apr 2017 22:01:31 -0400
Subject: fix read past end of buffer in getaddrinfo backend
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit

due to testing buf[i].family==AF_INET before checking i==cnt, it was
possible to read past the end of the array, or past the valid part. in
practice, without active bounds/indeterminate-value checking by the
compiler, the worst that happened was failure to return early and
optimize out the sorting that's unneeded for v4-only results.

returning on i==cnt-1 rather than i==cnt would be an alternate fix,
but the approach this patch takes is more idiomatic and less
error-prone.

patch by Timo Teräs.
---
 src/network/lookup_name.c | 4 ++--
 1 file changed, 2 insertions(+), 2 deletions(-)

(limited to 'src/network')

diff --git a/src/network/lookup_name.c b/src/network/lookup_name.c
index fb7303a3..066be4d5 100644
--- a/src/network/lookup_name.c
+++ b/src/network/lookup_name.c
@@ -338,8 +338,8 @@ int __lookup_name(struct address buf[static MAXADDRS], char canon[static 256], c
 	/* No further processing is needed if there are fewer than 2
 	 * results or if there are only IPv4 results. */
 	if (cnt<2 || family==AF_INET) return cnt;
-	for (i=0; buf[i].family == AF_INET; i++)
-		if (i==cnt) return cnt;
+	for (i=0; i<cnt; i++) if (buf[i].family != AF_INET) break;
+	if (i==cnt) return cnt;
 
 	int cs;
 	pthread_setcancelstate(PTHREAD_CANCEL_DISABLE, &cs);
-- 
cgit v1.2.1