The protocol is that a string is serialized with the nul byte at the end, and
the terminator is included in length. We'd call strndup with offset 0, length
len1-1, and then a second time with offset len1, length len2-1, so in the end
the check was off by one. But let's require the terminating nul too, even if
we don't access it.
CID #
1383035.
if (ni_resp->hostlen > DNS_HOSTNAME_MAX ||
ni_resp->servlen > DNS_HOSTNAME_MAX ||
- sizeof(NameInfoResponse) + ni_resp->hostlen + ni_resp->servlen > length + 2)
+ sizeof(NameInfoResponse) + ni_resp->hostlen + ni_resp->servlen > length)
ASSIGN_ERRNO(q, EAI_SYSTEM, EIO, 0);
else {