sd-resolve: fix check for packet size

The protocol is that a string is serialized with the nul byte at the end, and
the terminator is included in length. We'd call strndup with offset 0, length
len1-1, and then a second time with offset len1, length len2-1, so in the end
the check was off by one. But let's require the terminating nul too, even if
we don't access it.

CID #1383035.

diff --git a/src/libsystemd/sd-resolve/sd-resolve.c b/src/libsystemd/sd-resolve/sd-resolve.c
index acd3146bfb8d08552cc0aae0e8762f660b0976ca..ba0f15538d897db494981ce2f6442cf33720d31f 100644 (file)
--- a/src/libsystemd/sd-resolve/sd-resolve.c
+++ b/src/libsystemd/sd-resolve/sd-resolve.c
@@ -802,7 +802,7 @@ static int handle_response(sd_resolve *resolve, const Packet *packet, size_t len
 
                 if (ni_resp->hostlen > DNS_HOSTNAME_MAX ||
                     ni_resp->servlen > DNS_HOSTNAME_MAX ||
-                    sizeof(NameInfoResponse) + ni_resp->hostlen + ni_resp->servlen > length + 2)
+                    sizeof(NameInfoResponse) + ni_resp->hostlen + ni_resp->servlen > length)
                         ASSIGN_ERRNO(q, EAI_SYSTEM, EIO, 0);
 
                 else {