2449. [bug] libbind: Out of bounds reference in dns_ho.c:addrsort.

author Mark Andrews <marka@isc.org>

Wed, 24 Sep 2008 06:04:13 +0000 (06:04 +0000)

committer Mark Andrews <marka@isc.org>

Wed, 24 Sep 2008 06:04:13 +0000 (06:04 +0000)
author Mark Andrews <marka@isc.org>
Wed, 24 Sep 2008 06:04:13 +0000 (06:04 +0000)
committer Mark Andrews <marka@isc.org>
Wed, 24 Sep 2008 06:04:13 +0000 (06:04 +0000)
diff --git a/CHANGES b/CHANGES

index 1f2830797ebc962daf170186c5c41a0fabd81069..01bc7cd5f8b69fe754bf396e17d15db9f8cc6546 100644 (file)
--- a/CHANGES
+++ b/CHANGES
@@ -1,3 +1,6 @@
+2449.  [bug]           libbind: Out of bounds reference in dns_ho.c:addrsort.
+                       [RT #18044]
+
  2444.  [port]          Linux, FreeBSD, AIX: Turn off path mtu discovery
                         (clear DF) for UDP responses and requests.
  
diff --git a/lib/bind/irs/dns_ho.c b/lib/bind/irs/dns_ho.c

index b1bd5f01e6794ea207927d0a0937b5ebe5ad82f8..d942ae1be64f51f25d7050989690093a34f690b8 100644 (file)
--- a/lib/bind/irs/dns_ho.c
+++ b/lib/bind/irs/dns_ho.c
@@ -52,7 +52,7 @@
  /* BIND Id: gethnamaddr.c,v 8.15 1996/05/22 04:56:30 vixie Exp $ */
  
  #if defined(LIBC_SCCS) && !defined(lint)
-static const char rcsid[] = "$Id: dns_ho.c,v 1.5.2.7.4.9 2006/12/07 04:00:08 marka Exp $";
+static const char rcsid[] = "$Id: dns_ho.c,v 1.5.2.7.4.10 2008/09/24 06:04:13 marka Exp $";
  #endif /* LIBC_SCCS and not lint */
  
  /* Imports. */
@@ -962,7 +962,7 @@ gethostans(struct irs_ho *this,
                                         }
                                         if (m == 0)
                                                 continue;
-                                       if (hap < &pvt->h_addr_ptrs[MAXADDRS-1])
+                                       if (hap < &pvt->h_addr_ptrs[MAXADDRS])
                                                 hap++;
                                         *hap = NULL;
                                         bp += m;
@@ -984,9 +984,10 @@ gethostans(struct irs_ho *this,
                         *ap = NULL;
                         *hap = NULL;
  
-                       if (pvt->res->nsort && haveanswer > 1 && qtype == T_A)
+                       if (pvt->res->nsort && hap != pvt->h_addr_ptrs &&
+                           qtype == T_A)
                                 addrsort(pvt->res, pvt->h_addr_ptrs,
-                                        haveanswer);
+                                        hap - pvt->h_addr_ptrs);
                         if (pvt->host.h_name == NULL) {
                                 n = strlen(qname) + 1;  /* for the \0 */
                                 if (n > (ep - bp) || n >= MAXHOSTNAMELEN)
@@ -1053,7 +1054,7 @@ add_hostent(struct pvt *pvt, char *bp, char **hap, struct addrinfo *ai)
         /* Avoid overflows. */
         if (bp + addrlen > &pvt->hostbuf[sizeof(pvt->hostbuf) - 1])
                 return(-1);
-       if (hap >= &pvt->h_addr_ptrs[MAXADDRS-1])
+       if (hap >= &pvt->h_addr_ptrs[MAXADDRS])
                 return(0); /* fail, but not treat it as an error. */
  
         /* Suppress duplicates. */
author	Mark Andrews <marka@isc.org>
	Wed, 24 Sep 2008 06:04:13 +0000 (06:04 +0000)
committer	Mark Andrews <marka@isc.org>
	Wed, 24 Sep 2008 06:04:13 +0000 (06:04 +0000)
CHANGES		patch \| blob \| blame \| history
lib/bind/irs/dns_ho.c		patch \| blob \| blame \| history