diff options
| author |   bluhm <bluhm@openbsd.org> | 2015-11-05 22:44:37 +0000 |
|---|---|---|
| committer | bluhm <bluhm@openbsd.org> | 2015-11-05 22:44:37 +0000 |
| commit | 177fe54c06e84c3e180975eddaf4c1ab8677dc59 (patch) | |
| tree | 66479cc79d686adb43d3febfcd22c8a54be05618 /lib/libc/asr/res_init.c | |
| parent | Now that the kernel virtual address space has been made larger, even on (diff) | |
| download | wireguard-openbsd-177fe54c06e84c3e180975eddaf4c1ab8677dc59.tar.xz wireguard-openbsd-177fe54c06e84c3e180975eddaf4c1ab8677dc59.zip | |
When filling the __res_state compatibiliy struct, a long list of
nameservers could overflow the dns search pointers. Restrict the
number, size and address family of nameservers in res_init(3). This
fixes a crash in sendmail. Only programs that use the bind resolver
internals directly are affected.
OK deraadt@ millert@
Diffstat (limited to 'lib/libc/asr/res_init.c')
| -rw-r--r-- | lib/libc/asr/res_init.c | 12 |
1 files changed, 8 insertions, 4 deletions
diff --git a/lib/libc/asr/res_init.c b/lib/libc/asr/res_init.c index 03ed33562b8..52705658fda 100644 --- a/lib/libc/asr/res_init.c +++ b/lib/libc/asr/res_init.c @@ -1,4 +1,4 @@ -/* $OpenBSD: res_init.c,v 1.6 2015/10/05 02:57:16 guenther Exp $ */ +/* $OpenBSD: res_init.c,v 1.7 2015/11/05 22:44:37 bluhm Exp $ */ /* * Copyright (c) 2012 Eric Faurot <eric@openbsd.org> * @@ -39,7 +39,7 @@ res_init(void) { _THREAD_PRIVATE_MUTEX(init); struct asr_ctx *ac; - int i; + int i, j; ac = _asr_use_resolver(NULL); @@ -58,9 +58,13 @@ res_init(void) strlcpy(_res.lookups, ac->ac_db, sizeof(_res.lookups)); _res.nscount = ac->ac_nscount; - for (i = 0; i < ac->ac_nscount; i++) { - memcpy(&_res.nsaddr_list[i], ac->ac_ns[i], + for (i = 0, j = 0; i < ac->ac_nscount && j < MAXNS; i++) { + if (ac->ac_ns[i]->sa_family != AF_INET || + ac->ac_ns[i]->sa_len > sizeof(_res.nsaddr_list[j])) + continue; + memcpy(&_res.nsaddr_list[j], ac->ac_ns[i], ac->ac_ns[i]->sa_len); + j++; } _res.options |= RES_INIT; } |