aboutsummaryrefslogtreecommitdiff
diff options
context:
space:
mode:
authorPaul Stewart <pstew@google.com>2016-11-09 17:33:35 +0000
committerandroid-build-merger <android-build-merger@google.com>2016-11-09 17:33:35 +0000
commit9f1b2827cb88c58a80c470a4bddb2485677ec57f (patch)
tree11c144f73d691d2d04a1819e9be7d6b377290cd6
parentde2cd886042f484dc8694e614c3ac16298f93514 (diff)
parent211489aeaed3157c34e46f350afea813960258af (diff)
downloadc-ares-oreo-dr2-release.tar.gz
[BACKPORT] res_create_query: avoid single-byte buffer overwrite am: f4baf84f28 am: 6ec5e7a803 am: 178523dfa9android-wear-8.1.0_r1android-vts-8.1_r9android-vts-8.1_r8android-vts-8.1_r7android-vts-8.1_r6android-vts-8.1_r5android-vts-8.1_r4android-vts-8.1_r3android-vts-8.1_r14android-vts-8.1_r13android-vts-8.1_r12android-vts-8.1_r11android-vts-8.1_r10android-vts-8.0_r9android-vts-8.0_r8android-vts-8.0_r7android-vts-8.0_r6android-vts-8.0_r2android-vts-8.0_r13android-vts-8.0_r12android-vts-8.0_r11android-vts-8.0_r10android-vts-8.0_r1android-security-8.1.0_r93android-security-8.1.0_r92android-security-8.1.0_r91android-security-8.1.0_r90android-security-8.1.0_r89android-security-8.1.0_r88android-security-8.1.0_r87android-security-8.1.0_r86android-security-8.1.0_r85android-security-8.1.0_r84android-security-8.1.0_r83android-security-8.1.0_r82android-security-8.0.0_r54android-security-8.0.0_r53android-security-8.0.0_r52android-o-mr1-preview-2android-o-mr1-preview-1android-cts-8.1_r9android-cts-8.1_r8android-cts-8.1_r7android-cts-8.1_r6android-cts-8.1_r5android-cts-8.1_r4android-cts-8.1_r3android-cts-8.1_r25android-cts-8.1_r24android-cts-8.1_r23android-cts-8.1_r22android-cts-8.1_r21android-cts-8.1_r20android-cts-8.1_r2android-cts-8.1_r19android-cts-8.1_r18android-cts-8.1_r17android-cts-8.1_r16android-cts-8.1_r15android-cts-8.1_r14android-cts-8.1_r13android-cts-8.1_r12android-cts-8.1_r11android-cts-8.1_r10android-cts-8.1_r1android-cts-8.0_r9android-cts-8.0_r8android-cts-8.0_r7android-cts-8.0_r6android-cts-8.0_r5android-cts-8.0_r4android-cts-8.0_r3android-cts-8.0_r26android-cts-8.0_r25android-cts-8.0_r24android-cts-8.0_r23android-cts-8.0_r22android-cts-8.0_r21android-cts-8.0_r20android-cts-8.0_r2android-cts-8.0_r19android-cts-8.0_r18android-cts-8.0_r17android-cts-8.0_r16android-cts-8.0_r15android-cts-8.0_r14android-cts-8.0_r13android-cts-8.0_r12android-cts-8.0_r11android-cts-8.0_r10android-cts-8.0_r1android-8.1.0_r9android-8.1.0_r81android-8.1.0_r80android-8.1.0_r8android-8.1.0_r79android-8.1.0_r78android-8.1.0_r77android-8.1.0_r76android-8.1.0_r75android-8.1.0_r74android-8.1.0_r73android-8.1.0_r72android-8.1.0_r71android-8.1.0_r70android-8.1.0_r7android-8.1.0_r69android-8.1.0_r68android-8.1.0_r67android-8.1.0_r66android-8.1.0_r65android-8.1.0_r64android-8.1.0_r63android-8.1.0_r62android-8.1.0_r61android-8.1.0_r60android-8.1.0_r6android-8.1.0_r53android-8.1.0_r52android-8.1.0_r51android-8.1.0_r50android-8.1.0_r5android-8.1.0_r48android-8.1.0_r47android-8.1.0_r46android-8.1.0_r45android-8.1.0_r43android-8.1.0_r42android-8.1.0_r41android-8.1.0_r40android-8.1.0_r4android-8.1.0_r39android-8.1.0_r38android-8.1.0_r37android-8.1.0_r36android-8.1.0_r35android-8.1.0_r33android-8.1.0_r32android-8.1.0_r31android-8.1.0_r30android-8.1.0_r3android-8.1.0_r29android-8.1.0_r28android-8.1.0_r27android-8.1.0_r26android-8.1.0_r25android-8.1.0_r23android-8.1.0_r22android-8.1.0_r21android-8.1.0_r20android-8.1.0_r2android-8.1.0_r19android-8.1.0_r18android-8.1.0_r17android-8.1.0_r16android-8.1.0_r15android-8.1.0_r14android-8.1.0_r13android-8.1.0_r12android-8.1.0_r11android-8.1.0_r10android-8.1.0_r1android-8.0.0_r9android-8.0.0_r7android-8.0.0_r51android-8.0.0_r50android-8.0.0_r49android-8.0.0_r48android-8.0.0_r47android-8.0.0_r46android-8.0.0_r45android-8.0.0_r44android-8.0.0_r43android-8.0.0_r42android-8.0.0_r41android-8.0.0_r40android-8.0.0_r4android-8.0.0_r39android-8.0.0_r38android-8.0.0_r37android-8.0.0_r36android-8.0.0_r35android-8.0.0_r34android-8.0.0_r33android-8.0.0_r32android-8.0.0_r31android-8.0.0_r30android-8.0.0_r3android-8.0.0_r29android-8.0.0_r28android-8.0.0_r27android-8.0.0_r26android-8.0.0_r25android-8.0.0_r24android-8.0.0_r23android-8.0.0_r22android-8.0.0_r21android-8.0.0_r2android-8.0.0_r17android-8.0.0_r16android-8.0.0_r15android-8.0.0_r13android-8.0.0_r12android-8.0.0_r11android-8.0.0_r10android-8.0.0_r1security-oc-releasesecurity-oc-mr1-releaseoreo-vts-releaseoreo-security-releaseoreo-releaseoreo-r6-releaseoreo-r5-releaseoreo-r4-releaseoreo-r3-releaseoreo-r2-releaseoreo-mr1-wear-releaseoreo-mr1-vts-releaseoreo-mr1-security-releaseoreo-mr1-s1-releaseoreo-mr1-releaseoreo-mr1-devoreo-mr1-cuttlefish-testingoreo-mr1-cts-releaseoreo-m8-releaseoreo-m7-releaseoreo-m6-s4-releaseoreo-m6-s3-releaseoreo-m6-s2-releaseoreo-m5-releaseoreo-m4-s9-releaseoreo-m4-s8-releaseoreo-m4-s7-releaseoreo-m4-s6-releaseoreo-m4-s5-releaseoreo-m4-s4-releaseoreo-m4-s3-releaseoreo-m4-s2-releaseoreo-m4-s12-releaseoreo-m4-s11-releaseoreo-m4-s10-releaseoreo-m4-s1-releaseoreo-m3-releaseoreo-m2-s5-releaseoreo-m2-s4-releaseoreo-m2-s3-releaseoreo-m2-s2-releaseoreo-m2-s1-releaseoreo-m2-releaseoreo-dr3-releaseoreo-dr2-releaseoreo-dr1-releaseoreo-dr1-devoreo-devoreo-cts-release
am: 211489aeae Change-Id: Iec6190334b446971ac7d109bc33dc853c4c3d32a
-rw-r--r--ares_mkquery.c80
1 files changed, 37 insertions, 43 deletions
diff --git a/ares_mkquery.c b/ares_mkquery.c
index e33f13f..aa41e6b 100644
--- a/ares_mkquery.c
+++ b/ares_mkquery.c
@@ -86,56 +86,29 @@
*/
int ares_mkquery(const char *name, int dnsclass, int type, unsigned short id,
- int rd, unsigned char **buf, int *buflen)
+ int rd, unsigned char **bufp, int *buflenp)
{
- int len;
+ size_t len;
unsigned char *q;
const char *p;
+ size_t buflen;
+ unsigned char *buf;
/* Set our results early, in case we bail out early with an error. */
- *buflen = 0;
- *buf = NULL;
+ *buflenp = 0;
+ *bufp = NULL;
- /* Compute the length of the encoded name so we can check buflen.
- * Start counting at 1 for the zero-length label at the end. */
- len = 1;
- for (p = name; *p; p++)
- {
- if (*p == '\\' && *(p + 1) != 0)
- p++;
- len++;
- }
- /* If there are n periods in the name, there are n + 1 labels, and
- * thus n + 1 length fields, unless the name is empty or ends with a
- * period. So add 1 unless name is empty or ends with a period.
- */
- if (*name && *(p - 1) != '.')
- len++;
-
- /* Immediately reject names that are longer than the maximum of 255
- * bytes that's specified in RFC 1035 ("To simplify implementations,
- * the total length of a domain name (i.e., label octets and label
- * length octets) is restricted to 255 octets or less."). We aren't
- * doing this just to be a stickler about RFCs. For names that are
- * too long, 'dnscache' closes its TCP connection to us immediately
- * (when using TCP) and ignores the request when using UDP, and
- * BIND's named returns ServFail (TCP or UDP). Sending a request
- * that we know will cause 'dnscache' to close the TCP connection is
- * painful, since that makes any other outstanding requests on that
- * connection fail. And sending a UDP request that we know
- * 'dnscache' will ignore is bad because resources will be tied up
- * until we time-out the request.
+ /* Allocate a memory area for the maximum size this packet might need. +2
+ * is for the length byte and zero termination if no dots or ecscaping is
+ * used.
*/
- if (len > MAXCDNAME)
- return ARES_EBADNAME;
-
- *buflen = len + HFIXEDSZ + QFIXEDSZ;
- *buf = malloc(*buflen);
- if (!*buf)
- return ARES_ENOMEM;
+ len = strlen(name) + 2 + HFIXEDSZ + QFIXEDSZ;
+ buf = malloc(len);
+ if (!buf)
+ return ARES_ENOMEM;
/* Set up the header. */
- q = *buf;
+ q = buf;
memset(q, 0, HFIXEDSZ);
DNS_HEADER_SET_QID(q, id);
DNS_HEADER_SET_OPCODE(q, QUERY);
@@ -155,8 +128,10 @@ int ares_mkquery(const char *name, int dnsclass, int type, unsigned short id,
q += HFIXEDSZ;
while (*name)
{
- if (*name == '.')
+ if (*name == '.') {
+ free(buf);
return ARES_EBADNAME;
+ }
/* Count the number of bytes in this label. */
len = 0;
@@ -166,8 +141,10 @@ int ares_mkquery(const char *name, int dnsclass, int type, unsigned short id,
p++;
len++;
}
- if (len > MAXLABEL)
+ if (len > MAXLABEL) {
+ free(buf);
return ARES_EBADNAME;
+ }
/* Encode the length and copy the data. */
*q++ = (unsigned char)len;
@@ -191,5 +168,22 @@ int ares_mkquery(const char *name, int dnsclass, int type, unsigned short id,
DNS_QUESTION_SET_TYPE(q, type);
DNS_QUESTION_SET_CLASS(q, dnsclass);
+ q += QFIXEDSZ;
+
+ buflen = (q - buf);
+
+ /* Reject names that are longer than the maximum of 255 bytes that's
+ * specified in RFC 1035 ("To simplify implementations, the total length of
+ * a domain name (i.e., label octets and label length octets) is restricted
+ * to 255 octets or less."). */
+ if (buflen > (MAXCDNAME + HFIXEDSZ + QFIXEDSZ)) {
+ free(buf);
+ return ARES_EBADNAME;
+ }
+
+ /* we know this fits in an int at this point */
+ *buflenp = (int) buflen;
+ *bufp = buf;
+
return ARES_SUCCESS;
}