From mboxrd@z Thu Jan 1 00:00:00 1970 X-Msuck: nntp://news.gmane.org/gmane.linux.lib.musl.general/6061 Path: news.gmane.org!not-for-mail From: Szabolcs Nagy Newsgroups: gmane.linux.lib.musl.general Subject: Re: [PATCH] fix handling of zero length domain names in dn_expand Date: Thu, 4 Sep 2014 19:07:27 +0200 Message-ID: <20140904170726.GC10361@port70.net> References: <1407918101-3407-1-git-send-email-ncopa@alpinelinux.org> <20140904095039.496f5810@ncopa-desktop.alpinelinux.org> Reply-To: musl@lists.openwall.com NNTP-Posting-Host: plane.gmane.org Mime-Version: 1.0 Content-Type: multipart/mixed; boundary="5mCyUwZo2JvN/JJP" X-Trace: ger.gmane.org 1409850469 3524 80.91.229.3 (4 Sep 2014 17:07:49 GMT) X-Complaints-To: usenet@ger.gmane.org NNTP-Posting-Date: Thu, 4 Sep 2014 17:07:49 +0000 (UTC) To: musl@lists.openwall.com Original-X-From: musl-return-6074-gllmg-musl=m.gmane.org@lists.openwall.com Thu Sep 04 19:07:40 2014 Return-path: Envelope-to: gllmg-musl@plane.gmane.org Original-Received: from mother.openwall.net ([195.42.179.200]) by plane.gmane.org with smtp (Exim 4.69) (envelope-from ) id 1XPaVX-0007oS-J3 for gllmg-musl@plane.gmane.org; Thu, 04 Sep 2014 19:07:39 +0200 Original-Received: (qmail 13678 invoked by uid 550); 4 Sep 2014 17:07:38 -0000 Mailing-List: contact musl-help@lists.openwall.com; run by ezmlm Precedence: bulk List-Post: List-Help: List-Unsubscribe: List-Subscribe: Original-Received: (qmail 13670 invoked from network); 4 Sep 2014 17:07:38 -0000 Mail-Followup-To: musl@lists.openwall.com Content-Disposition: inline In-Reply-To: <20140904095039.496f5810@ncopa-desktop.alpinelinux.org> User-Agent: Mutt/1.5.21 (2010-09-15) Xref: news.gmane.org gmane.linux.lib.musl.general:6061 Archived-At: --5mCyUwZo2JvN/JJP Content-Type: text/plain; charset=us-ascii Content-Disposition: inline * Natanael Copa [2014-09-04 09:50:39 +0200]: > On Wed, 13 Aug 2014 10:21:41 +0200 > Natanael Copa wrote: > > > Copy a zero length string instead of returning error when trying to > > expand a zero lentgh domain name (null terminator). > > > Rich pointed out to me on IRC that this will not write terminating '\0' > when domain name length is zero. I'll send new patch. > here is a patch --5mCyUwZo2JvN/JJP Content-Type: text/x-diff; charset=us-ascii Content-Disposition: attachment; filename="0001-fix-empty-name-handling-in-dn_expand.patch" >From 49b96b160fdde9218bcaffa196ca9e6d5a233094 Mon Sep 17 00:00:00 2001 From: Szabolcs Nagy Date: Thu, 4 Sep 2014 18:29:16 +0200 Subject: [PATCH] fix empty name handling in dn_expand Empty name was rejected in dn_expand since commit 56b57f37a46dab432247bf29d96fcb11fbd02a6d which is a regression as reported by Natanael Copa. But it turns out only an "uncompressed" empty name was rejected, if an offset pointer is used to represent an empty name then dn_expand failed to null terminate the returned name. this fix makes dn_expand accept and return empty names correctly. --- src/network/dn_expand.c | 12 +++++++----- 1 file changed, 7 insertions(+), 5 deletions(-) diff --git a/src/network/dn_expand.c b/src/network/dn_expand.c index 849df19..4fa6af8 100644 --- a/src/network/dn_expand.c +++ b/src/network/dn_expand.c @@ -6,7 +6,7 @@ int __dn_expand(const unsigned char *base, const unsigned char *end, const unsig const unsigned char *p = src; char *dend = dest + (space > 254 ? 254 : space); int len = -1, i, j; - if (p==end || !*p) return -1; + if (p==end) return -1; /* detect reference loop using an iteration counter */ for (i=0; i < end-base; i+=2) { if (*p & 0xc0) { @@ -16,11 +16,13 @@ int __dn_expand(const unsigned char *base, const unsigned char *end, const unsig if (j >= end-base) return -1; p = base+j; } else if (*p) { - j = *p+1; - if (j>=end-p || j>dend-dest) return -1; - while (--j) *dest++ = *++p; - *dest++ = *++p ? '.' : 0; + j = *p++; + if (j >= end-p || j >= dend-dest) return -1; + while (j--) *dest++ = *p++; + if (*p) *dest++ = '.'; } else { + if (dest == dend) return -1; + *dest = 0; if (len < 0) len = p+1-src; return len; } -- 1.7.10.4 --5mCyUwZo2JvN/JJP--