Fix OOB read in DNS resolver

The remote server specifies resplen, the length of the response it intends to send. anssiz represents the size of the destination buffer. If the reported resplen is larger than the anssiz, the code correctly only reads up to anssiz bytes, but returns resplen. so later functions will access far out of bounds. The fix ensures that the length of send_vc return does not exceed the buffer size. Bug: 161362564 Test: build, flash, boot Test: atest netd_integration_test Merged-In: Id4b5df1be4652e4623847b0b0bad0af65b80fdd5 Change-Id: Id4b5df1be4652e4623847b0b0bad0af65b80fdd5
author: Ken Chen <cken@google.com> 2020-08-07 19:04:25 +0800
committer: Ken Chen <cken@google.com> 2020-08-07 20:19:43 +0800
commit: 43264bc36557db9a281b321aab16e574401dfddc (patch)
tree: 7b95545601c687451e6a09f49b7e9f78b3be9a9e
parent: dad73ef232034dd0f4f46bda90c74e8727d840cc (diff)
download: bionic-43264bc36557db9a281b321aab16e574401dfddc.tar.gz
1 files changed, 3 insertions, 1 deletions
diff --git a/libc/dns/resolv/res_send.c b/libc/dns/resolv/res_send.c
index 18bb75279..81b42a628 100644
--- a/libc/dns/resolv/res_send.c
+++ b/libc/dns/resolv/res_send.c
@@ -950,6 +950,8 @@ send_vc(res_state statp,
 			else
 				break;
 		}
+		// return size should never exceed container size
+		resplen = anssiz;
 	}
 	/*
 	 * If the calling applicating has bailed out of
@@ -962,7 +964,7 @@ send_vc(res_state statp,
 		DprintQ((statp->options & RES_DEBUG) ||
 			(statp->pfcode & RES_PRF_REPLY),
 			(stdout, ";; old answer (unexpected):\n"),
-			ans, (resplen > anssiz) ? anssiz: resplen);
+			ans, resplen);
 		goto read_len;
 	}
author	Ken Chen <cken@google.com>	2020-08-07 19:04:25 +0800
committer	Ken Chen <cken@google.com>	2020-08-07 20:19:43 +0800
commit	43264bc36557db9a281b321aab16e574401dfddc (patch)
tree	7b95545601c687451e6a09f49b7e9f78b3be9a9e
parent	dad73ef232034dd0f4f46bda90c74e8727d840cc (diff)
download	bionic-43264bc36557db9a281b321aab16e574401dfddc.tar.gz