generic-library/curl
1
0
Fork 0
Code Issues Pull Requests Releases Wiki Activity

Overhauled ares__get_hostent()

Browse Source 
- Fixing out of bounds memory overwrite triggered with malformed /etc/hosts file.
- Improving parsing of /etc/hosts file.
- Validating requested address family.
- Ensuring that failures always return a NULL pointer.
- Adjusting header inclusions.
This commit is contained in:
Yang Tse 2009-10-07 18:47:04 +00:00
parent 2eeafcf9a6
commit 052dac0d3f
3 changed files with 164 additions and 97 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

6
ares/CHANGES
View File

@ -1,5 +1,11 @@
Changelog for the c-ares project Changelog for the c-ares project
* October 7, 2009 (Yang Tse)
- Overhauled ares__get_hostent() Fixing out of bounds memory overwrite
triggered with malformed /etc/hosts file. Improving parsing of /etc/hosts
file. Validating requested address family. Ensuring that failures always
return a NULL pointer. Adjusting header inclusions.
* 4 Sep 2009 (Daniel Stenberg) * 4 Sep 2009 (Daniel Stenberg)
- Jakub Hrozek added ares_parse_srv_reply() for SRV parsing - Jakub Hrozek added ares_parse_srv_reply() for SRV parsing

1
ares/RELEASE-NOTES
View File

@ -19,6 +19,7 @@ Fixed:
o only expose/export symbols starting with 'ares_' o only expose/export symbols starting with 'ares_'
o fix \Device\TCP handle leaks triggered by buggy iphlpapi.dll o fix \Device\TCP handle leaks triggered by buggy iphlpapi.dll
o init without internet gone no longer fails o init without internet gone no longer fails
o out of bounds memory overwrite triggered with malformed /etc/hosts file
Thanks go to these friendly people for their efforts and contributions: Thanks go to these friendly people for their efforts and contributions:

232
ares/ares__get_hostent.c
View File

@ -1,6 +1,6 @@
/* $Id$ */ /* $Id$ */
/* Copyright 1998 by the Massachusetts Institute of Technology. /* Copyright 1998, 2009 by the Massachusetts Institute of Technology.
* *
* Permission to use, copy, modify, and distribute this * Permission to use, copy, modify, and distribute this
* software and its documentation for any purpose and without * software and its documentation for any purpose and without
@ -17,7 +17,6 @@
#include "setup.h" #include "setup.h"
#if !defined(WIN32) || defined(WATT32)
#ifdef HAVE_SYS_SOCKET_H #ifdef HAVE_SYS_SOCKET_H
# include <sys/socket.h> # include <sys/socket.h>
#endif #endif
@ -30,12 +29,6 @@
#ifdef HAVE_ARPA_INET_H #ifdef HAVE_ARPA_INET_H
# include <arpa/inet.h> # include <arpa/inet.h>
#endif #endif
#endif
#include <stdio.h>
#include <stdlib.h>
#include <string.h>
#include <ctype.h>
#include "ares.h" #include "ares.h"
#include "inet_net_pton.h" #include "inet_net_pton.h"
@ -43,135 +36,202 @@
int ares__get_hostent(FILE *fp, int family, struct hostent **host) int ares__get_hostent(FILE *fp, int family, struct hostent **host)
{ {
char *line = NULL, *p, *q, *canonical, **alias; char *line = NULL, *p, *q, **alias;
int status, linesize, end_at_hostname, naliases; char *txtaddr, *txthost, *txtalias;
int status, linesize, addrfam, naliases;
struct in_addr addr; struct in_addr addr;
struct in6_addr addr6; struct in6_addr addr6;
size_t addrlen = sizeof(struct in_addr); size_t addrlen;
struct hostent *hostent = NULL; struct hostent *hostent = NULL;
*host = NULL; /* Assume failure */
/* Validate family */
switch (family) {
case AF_INET:
case AF_INET6:
case AF_UNSPEC:
break;
default:
return ARES_EBADFAMILY;
}
while ((status = ares__read_line(fp, &line, &linesize)) == ARES_SUCCESS) while ((status = ares__read_line(fp, &line, &linesize)) == ARES_SUCCESS)
{ {
/* Skip comment lines; terminate line at comment character. */
if (*line == '#' || !*line)
continue;
p = strchr(line, '#');
if (p)
*p = 0;
/* Get the address part. */ /* Trim line comment. */
p = line; p = line;
while (*p && (*p != '#'))
p++;
*p = '\0';
/* Trim trailing whitespace. */
q = p - 1;
while ((q >= line) && ISSPACE(*q))
q--;
*++q = '\0';
/* Skip leading whitespace. */
p = line;
while (*p && ISSPACE(*p))
p++;
if (!*p)
/* Ignore line if empty. */
continue;
/* Pointer to start of IPv4 or IPv6 address part. */
txtaddr = p;
/* Advance past address part. */
while (*p && !ISSPACE(*p)) while (*p && !ISSPACE(*p))
p++; p++;
if (!*p) if (!*p)
continue; /* Ignore line if reached end of line. */
*p = 0;
addr.s_addr = inet_addr(line);
if (addr.s_addr == INADDR_NONE)
{
/* It wasn't an AF_INET dotted address, then AF_UNSPEC and AF_INET6
families are subject for this further check */
if ((family != AF_INET) &&
(ares_inet_pton(AF_INET6, line, &addr6) > 0)) {
addrlen = sizeof(struct in6_addr);
family = AF_INET6;
}
else
continue;
}
else if (family == AF_UNSPEC)
family = AF_INET; /* now confirmed! */
else if (family != AF_INET)
/* unknown, keep moving */
continue; continue;
/* Get the canonical hostname. */ /* Null terminate address part. */
*p = '\0';
/* Advance to host name */
p++; p++;
while (ISSPACE(*p)) while (*p && ISSPACE(*p))
p++; p++;
if (!*p) if (!*p)
/* Ignore line if reached end of line. */
continue; continue;
q = p;
while (*q && !ISSPACE(*q))
q++;
end_at_hostname = (*q == 0);
*q = 0;
canonical = p;
naliases = 0; /* Pointer to start of host name. */
if (!end_at_hostname) txthost = p;
{
/* Count the aliases. */ /* Advance past host name. */
p = q + 1; while (*p && !ISSPACE(*p))
while (ISSPACE(*p))
p++; p++;
/* Pointer to start of first alias. */
txtalias = NULL;
if (*p)
{
q = p + 1;
while (*q && ISSPACE(*q))
q++;
if (*q)
txtalias = q;
}
/* Null terminate host name. */
*p = '\0';
/* find out number of aliases. */
naliases = 0;
if (txtalias)
{
p = txtalias;
while (*p) while (*p)
{ {
while (*p && !ISSPACE(*p)) while (*p && !ISSPACE(*p))
p++; p++;
while (ISSPACE(*p)) while (*p && ISSPACE(*p))
p++; p++;
naliases++; naliases++;
} }
} }
/* Allocate memory for the host structure. */ /* Convert address string to network address for the requested family. */
addrlen = 0;
addrfam = AF_UNSPEC;
if ((family == AF_INET) || (family == AF_UNSPEC))
{
addr.s_addr = inet_addr(txtaddr);
if (addr.s_addr != INADDR_NONE)
{
/* Actual network address family and length. */
addrfam = AF_INET;
addrlen = sizeof(struct in_addr);
}
}
if ((family == AF_INET6) || ((family == AF_UNSPEC) && (!addrlen)))
{
if (ares_inet_pton(AF_INET6, txtaddr, &addr6) > 0)
{
/* Actual network address family and length. */
addrfam = AF_INET6;
addrlen = sizeof(struct in6_addr);
}
}
if (!addrlen)
/* Ignore line if invalid address string for the requested family. */
continue;
/*
** Actual address family possible values are AF_INET and AF_INET6 only.
*/
/* Allocate memory for the hostent structure. */
hostent = malloc(sizeof(struct hostent)); hostent = malloc(sizeof(struct hostent));
if (!hostent) if (!hostent)
break; break;
/* Initialize fields for out of memory condition. */
hostent->h_aliases = NULL; hostent->h_aliases = NULL;
hostent->h_addr_list = NULL; hostent->h_addr_list = NULL;
hostent->h_name = strdup(canonical);
/* Copy official host name. */
hostent->h_name = strdup(txthost);
if (!hostent->h_name) if (!hostent->h_name)
break; break;
/* Copy network address. */
hostent->h_addr_list = malloc(2 * sizeof(char *)); hostent->h_addr_list = malloc(2 * sizeof(char *));
if (!hostent->h_addr_list) if (!hostent->h_addr_list)
break; break;
hostent->h_addr_list[1] = NULL;
hostent->h_addr_list[0] = malloc(addrlen); hostent->h_addr_list[0] = malloc(addrlen);
if (!hostent->h_addr_list[0]) if (!hostent->h_addr_list[0])
break; break;
if (addrfam == AF_INET)
memcpy(hostent->h_addr_list[0], &addr, addrlen);
else
memcpy(hostent->h_addr_list[0], &addr6, addrlen);
/* Copy aliases. */
hostent->h_aliases = malloc((naliases + 1) * sizeof(char *)); hostent->h_aliases = malloc((naliases + 1) * sizeof(char *));
if (!hostent->h_aliases) if (!hostent->h_aliases)
break; break;
alias = hostent->h_aliases;
/* Copy in aliases. */ while (naliases >= 0)
naliases = 0; *(alias + naliases--) = NULL;
if (!end_at_hostname) while (txtalias)
{ {
p = canonical + strlen(canonical) + 1; p = txtalias;
while (ISSPACE(*p)) while (*p && !ISSPACE(*p))
p++; p++;
while (*p)
{
q = p; q = p;
while (*q && !ISSPACE(*q)) while (*q && ISSPACE(*q))
q++; q++;
hostent->h_aliases[naliases] = malloc(q - p + 1); *p = '\0';
if (hostent->h_aliases[naliases] == NULL) if ((*alias = strdup(txtalias)) == NULL)
break; break;
memcpy(hostent->h_aliases[naliases], p, q - p); alias++;
hostent->h_aliases[naliases][q - p] = 0; txtalias = *q ? q : NULL;
p = q;
while (ISSPACE(*p))
p++;
naliases++;
} }
if (*p) if (txtalias)
/* Alias memory allocation failure. */
break; break;
}
hostent->h_aliases[naliases] = NULL;
hostent->h_addrtype = family; /* Copy actual network address family and length. */
hostent->h_addrtype = addrfam;
hostent->h_length = (int)addrlen; hostent->h_length = (int)addrlen;
if (family == AF_INET)
memcpy(hostent->h_addr_list[0], &addr, addrlen); /* Free line buffer. */
else if (family == AF_INET6)
memcpy(hostent->h_addr_list[0], &addr6, addrlen);
hostent->h_addr_list[1] = NULL;
*host = hostent;
free(line); free(line);
/* Return hostent successfully */
*host = hostent;
return ARES_SUCCESS; return ARES_SUCCESS;
} }
/* If allocated, free line buffer. */
if (line) if (line)
free(line); free(line);
@ -186,16 +246,16 @@ int ares__get_hostent(FILE *fp, int family, struct hostent **host)
{ {
for (alias = hostent->h_aliases; *alias; alias++) for (alias = hostent->h_aliases; *alias; alias++)
free(*alias); free(*alias);
}
if(hostent->h_aliases)
free(hostent->h_aliases); free(hostent->h_aliases);
if (hostent->h_addr_list && hostent->h_addr_list[0]) }
free(hostent->h_addr_list[0]);
if (hostent->h_addr_list) if (hostent->h_addr_list)
{
if (hostent->h_addr_list[0])
free(hostent->h_addr_list[0]);
free(hostent->h_addr_list); free(hostent->h_addr_list);
}
free(hostent); free(hostent);
} }
*host = NULL;
return ARES_ENOMEM; return ARES_ENOMEM;
} }