From 31089a149f1a9b8248bd1b7cf9899d9a055d6d4b Mon Sep 17 00:00:00 2001
From: itojun <itojun@NetBSD.org>
Date: Sun, 30 Jul 2000 02:44:36 +0000
Subject: [PATCH] plug host_addrs overrun.  rogue NIS server can transmit tons
 of lines, effectively overrun host_addrs buffer.

---
 lib/libc/net/gethnamaddr.c | 18 ++++++++++--------
 1 file changed, 10 insertions(+), 8 deletions(-)

diff --git a/lib/libc/net/gethnamaddr.c b/lib/libc/net/gethnamaddr.c
index 70ba0c12aa96..70ce73d62243 100644
--- a/lib/libc/net/gethnamaddr.c
+++ b/lib/libc/net/gethnamaddr.c
@@ -1,4 +1,4 @@
-/*	$NetBSD: gethnamaddr.c,v 1.35 2000/07/07 08:03:38 itohy Exp $	*/
+/*	$NetBSD: gethnamaddr.c,v 1.36 2000/07/30 02:44:36 itojun Exp $	*/
 
 /*
  * ++Copyright++ 1985, 1988, 1993
@@ -61,7 +61,7 @@
 static char sccsid[] = "@(#)gethostnamadr.c	8.1 (Berkeley) 6/4/93";
 static char rcsid[] = "Id: gethnamaddr.c,v 8.21 1997/06/01 20:34:37 vixie Exp ";
 #else
-__RCSID("$NetBSD: gethnamaddr.c,v 1.35 2000/07/07 08:03:38 itohy Exp $");
+__RCSID("$NetBSD: gethnamaddr.c,v 1.36 2000/07/30 02:44:36 itojun Exp $");
 #endif
 #endif /* LIBC_SCCS and not lint */
 
@@ -1272,14 +1272,14 @@ _yphostent(line, af)
 	 * XXX: maybe support IPv6 parsing, based on 'af' setting
 	 */
 nextline:
+	/* check for host_addrs overflow */
+	if (buf >= &host_addrs[sizeof(host_addrs) / sizeof(host_addrs[0])])
+		goto done;
+
 	more = 0;
 	cp = strpbrk(p, " \t");
-	if (cp == NULL) {
-		if (host.h_name == NULL)
-			return (NULL);
-		else
-			goto done;
-	}
+	if (cp == NULL)
+		goto done;
 	*cp++ = '\0';
 
 	*hap++ = (char *)(void *)buf;
@@ -1320,6 +1320,8 @@ nextline:
 			*cp++ = '\0';
 	}
 done:
+	if (host.h_name == NULL)
+		return (NULL);
 	*q = NULL;
 	*hap = NULL;
 	return (&host);