plug host_addrs overrun. rogue NIS server can transmit tons of lines,

effectively overrun host_addrs buffer.
2000-07-30 02:44:36 +00:00 · 2000-07-30 02:44:36 +00:00 · 31089a149f
parent 490c966a83
commit 31089a149f
1 changed files with 10 additions and 8 deletions
--- a/lib/libc/net/gethnamaddr.c
+++ b/lib/libc/net/gethnamaddr.c
@ -1,4 +1,4 @@
-/*	$NetBSD: gethnamaddr.c,v 1.35 2000/07/07 08:03:38 itohy Exp $	*/
+/*	$NetBSD: gethnamaddr.c,v 1.36 2000/07/30 02:44:36 itojun Exp $	*/

 /*
 * ++Copyright++ 1985, 1988, 1993
@ -61,7 +61,7 @@
 static char sccsid[] = "@(#)gethostnamadr.c	8.1 (Berkeley) 6/4/93";
 static char rcsid[] = "Id: gethnamaddr.c,v 8.21 1997/06/01 20:34:37 vixie Exp ";
 #else
-__RCSID("$NetBSD: gethnamaddr.c,v 1.35 2000/07/07 08:03:38 itohy Exp $");
+__RCSID("$NetBSD: gethnamaddr.c,v 1.36 2000/07/30 02:44:36 itojun Exp $");
 #endif
 #endif /* LIBC_SCCS and not lint */

@ -1272,14 +1272,14 @@ _yphostent(line, af)
 	 * XXX: maybe support IPv6 parsing, based on 'af' setting
 	 */
 nextline:
+	/* check for host_addrs overflow */
+	if (buf >= &host_addrs[sizeof(host_addrs) / sizeof(host_addrs[0])])
+		goto done;
+
 	more = 0;
 	cp = strpbrk(p, " \t");
-	if (cp == NULL) {
-		if (host.h_name == NULL)
-			return (NULL);
-		else
-			goto done;
-	}
+	if (cp == NULL)
+		goto done;
 	*cp++ = '\0';

 	*hap++ = (char *)(void *)buf;
@ -1320,6 +1320,8 @@ nextline:
 			*cp++ = '\0';
 	}
 done:
+	if (host.h_name == NULL)
+		return (NULL);
 	*q = NULL;
 	*hap = NULL;
 	return (&host);