- A patch supplied by David Cantrell at RedHat was applied that detects

  invalid calling parameters given to the ns_name_ntop() function.
  Specifically, it detects if the caller passed a pointer and size pair
  that causes the pointer to integer-wrap past zero.  [ISC-Bugs #17737]

diff --git a/RELNOTES b/RELNOTES
index d7d1d649c997a5129858ce5e5595b99b29650aa6..bd7619b483393eff820ac0efef9d4b8c1b3767b0 100644 (file)
--- a/RELNOTES
+++ b/RELNOTES
@@ -178,6 +178,11 @@ work on other platforms. Please report any problems and suggested fixes to
   detected, rather than simply if a lease is noticed to have expired (which it
   may have expired without a failover server noticing in some situations).
 
+- A patch supplied by David Cantrell at RedHat was applied that detects
+  invalid calling parameters given to the ns_name_ntop() function.
+  Specifically, it detects if the caller passed a pointer and size pair
+  that causes the pointer to integer-wrap past zero.
+
                        Changes since 4.1.0b1
 
 - A missing "else" in dhcrelay.c could have caused an interface not to

diff --git a/minires/ns_name.c b/minires/ns_name.c
index 65788753f48cc0c2bc0470a5ea29c1ba2ae6358a..5b749b7738bdc13965f936df9a63a515a878b528 100644 (file)
--- a/minires/ns_name.c
+++ b/minires/ns_name.c
@@ -22,7 +22,7 @@
  */
 
 #ifndef lint
-static const char rcsid[] = "$Id: ns_name.c,v 1.2 2005/03/17 20:15:17 dhankins Exp $";
+static const char rcsid[] = "$Id: ns_name.c,v 1.3 2009/07/22 21:58:14 dhankins Exp $";
 #endif
 
 #include <sys/types.h>
@@ -71,6 +71,11 @@ ns_name_ntop(const u_char *src, char *dst, size_t dstsiz) {
        dn = dst;
        eom = dst + dstsiz;
 
+       if (dn >= eom) {
+               errno = EMSGSIZE;
+               return (-1);
+       }
+
        while ((n = *cp++) != 0) {
                if ((n & NS_CMPRSFLGS) != 0) {
                        /* Some kind of compression pointer. */