From: Zbigniew Jędrzejewski-Szmek Date: Mon, 14 May 2018 14:59:20 +0000 (+0200) Subject: sd-resolve: fix check for packet size X-Git-Tag: v239~239^2 X-Git-Url: http://git.ipfire.org/gitweb.cgi?a=commitdiff_plain;h=refs%2Fpull%2F8993%2Fhead;p=thirdparty%2Fsystemd.git sd-resolve: fix check for packet size The protocol is that a string is serialized with the nul byte at the end, and the terminator is included in length. We'd call strndup with offset 0, length len1-1, and then a second time with offset len1, length len2-1, so in the end the check was off by one. But let's require the terminating nul too, even if we don't access it. CID #1383035. --- diff --git a/src/libsystemd/sd-resolve/sd-resolve.c b/src/libsystemd/sd-resolve/sd-resolve.c index acd3146bfb8..ba0f15538d8 100644 --- a/src/libsystemd/sd-resolve/sd-resolve.c +++ b/src/libsystemd/sd-resolve/sd-resolve.c @@ -802,7 +802,7 @@ static int handle_response(sd_resolve *resolve, const Packet *packet, size_t len if (ni_resp->hostlen > DNS_HOSTNAME_MAX || ni_resp->servlen > DNS_HOSTNAME_MAX || - sizeof(NameInfoResponse) + ni_resp->hostlen + ni_resp->servlen > length + 2) + sizeof(NameInfoResponse) + ni_resp->hostlen + ni_resp->servlen > length) ASSIGN_ERRNO(q, EAI_SYSTEM, EIO, 0); else {