From 43264bc36557db9a281b321aab16e574401dfddc Mon Sep 17 00:00:00 2001 From: Ken Chen Date: Fri, 7 Aug 2020 19:04:25 +0800 Subject: Fix OOB read in DNS resolver The remote server specifies resplen, the length of the response it intends to send. anssiz represents the size of the destination buffer. If the reported resplen is larger than the anssiz, the code correctly only reads up to anssiz bytes, but returns resplen. so later functions will access far out of bounds. The fix ensures that the length of send_vc return does not exceed the buffer size. Bug: 161362564 Test: build, flash, boot Test: atest netd_integration_test Merged-In: Id4b5df1be4652e4623847b0b0bad0af65b80fdd5 Change-Id: Id4b5df1be4652e4623847b0b0bad0af65b80fdd5 --- libc/dns/resolv/res_send.c | 4 +++- 1 file changed, 3 insertions(+), 1 deletion(-) diff --git a/libc/dns/resolv/res_send.c b/libc/dns/resolv/res_send.c index 18bb75279..81b42a628 100644 --- a/libc/dns/resolv/res_send.c +++ b/libc/dns/resolv/res_send.c @@ -950,6 +950,8 @@ send_vc(res_state statp, else break; } + // return size should never exceed container size + resplen = anssiz; } /* * If the calling applicating has bailed out of @@ -962,7 +964,7 @@ send_vc(res_state statp, DprintQ((statp->options & RES_DEBUG) || (statp->pfcode & RES_PRF_REPLY), (stdout, ";; old answer (unexpected):\n"), - ans, (resplen > anssiz) ? anssiz: resplen); + ans, resplen); goto read_len; } -- cgit v1.2.3