Fix OOB read in DNS resolverandroid-security-9.0.0_r76android-security-9.0.0_r75android-security-9.0.0_r74android-security-9.0.0_r73android-security-9.0.0_r72android-security-9.0.0_r71android-security-9.0.0_r70android-security-9.0.0_r69android-security-9.0.0_r68android-security-9.0.0_r67android-security-9.0.0_r66android-security-9.0.0_r65android-security-9.0.0_r64android-security-9.0.0_r63android-security-9.0.0_r62pie-security-release

The remote server specifies resplen, the length of the response it
intends to send. anssiz represents the size of the destination buffer.
If the reported resplen is larger than the anssiz, the code correctly
only reads up to anssiz bytes, but returns resplen. so later functions
will access far out of bounds.

The fix ensures that the length of send_vc return does not exceed the
buffer size.

Bug: 161362564
Test: build, flash, boot
Test: atest netd_integration_test
Merged-In: Id4b5df1be4652e4623847b0b0bad0af65b80fdd5
Change-Id: Id4b5df1be4652e4623847b0b0bad0af65b80fdd5
(cherry picked from commit 43264bc36557db9a281b321aab16e574401dfddc)

1 files changed, 3 insertions, 1 deletions

diff --git a/libc/dns/resolv/res_send.c b/libc/dns/resolv/res_send.c
index 18bb75279..81b42a628 100644
--- a/libc/dns/resolv/res_send.c
+++ b/libc/dns/resolv/res_send.c
@@ -950,6 +950,8 @@ send_vc(res_state statp,
 			else
 				break;
 		}
+		// return size should never exceed container size
+		resplen = anssiz;
 	}
 	/*
 	 * If the calling applicating has bailed out of
@@ -962,7 +964,7 @@ send_vc(res_state statp,
 		DprintQ((statp->options & RES_DEBUG) ||
 			(statp->pfcode & RES_PRF_REPLY),
 			(stdout, ";; old answer (unexpected):\n"),
-			ans, (resplen > anssiz) ? anssiz: resplen);
+			ans, resplen);
 		goto read_len;
 	}