From 85c5202a64e3cb63e54550fca7bb11f24b9d12cc Mon Sep 17 00:00:00 2001 From: Calin Juravle Date: Thu, 6 Mar 2014 17:05:49 +0000 Subject: [PATCH] Fix broken pointer overflow check ns_name_unpack() Many compilers may optimize away the overflow check `msg + l < msg', where `msg' is a pointer and `l' is an integer, because pointer overflow is undefined behavior in C. Use a safe precondition test `l >= eom - msg' instead. Bug: 13219633 Change-Id: I3fca2125834073cc36d7e9c4e586e97842265a59 --- libc/dns/nameser/ns_name.c | 7 +++++-- 1 file changed, 5 insertions(+), 2 deletions(-) diff --git a/libc/dns/nameser/ns_name.c b/libc/dns/nameser/ns_name.c index 12bf02902..e3759abd7 100644 --- a/libc/dns/nameser/ns_name.c +++ b/libc/dns/nameser/ns_name.c @@ -473,11 +473,14 @@ ns_name_unpack2(const u_char *msg, const u_char *eom, const u_char *src, _DIAGASSERT(__type_fit(int, srcp - src + 1)); len = (int)(srcp - src + 1); } - srcp = msg + (((n & 0x3f) << 8) | (*srcp & 0xff)); - if (srcp < msg || srcp >= eom) { /* Out of range. */ + // BEGIN android-changed: safer pointer overflow check + l = (((n & 0x3f) << 8) | (*srcp & 0xff)); + if (l >= eom - msg) { /* Out of range. */ errno = EMSGSIZE; return (-1); } + srcp = msg + l; + // END android-changed checked += 2; /* * Check for loops in the compressed name;