emo/busybox
1
0
Fork 0
Code Issues Pull Requests Packages Projects Releases Wiki Activity

udhcp: we call DNS name encoder with NULL, this can SEGV. added a check

Browse Source 
function                                             old     new   delta
dname_enc                                            418     415      -3

Signed-off-by: Denys Vlasenko <vda.linux@googlemail.com>
This commit is contained in:
Denys Vlasenko 2010-03-24 16:11:32 +01:00
parent a14a9d73b1
commit 702f7d6c0b
1 changed files with 43 additions and 37 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

80
networking/udhcp/domain_codec.c
View File

@ -7,8 +7,6 @@
* Licensed under GPLv2 or later, see file LICENSE in this tarball for details. * Licensed under GPLv2 or later, see file LICENSE in this tarball for details.
*/ */
#if ENABLE_FEATURE_UDHCP_RFC3397
#include "common.h" #include "common.h"
#define NS_MAXDNAME 1025 /* max domain name length */ #define NS_MAXDNAME 1025 /* max domain name length */
@ -63,7 +61,7 @@ char* FAST_FUNC dname_dec(const uint8_t *cstr, int clen, const char *pre)
if (dst) if (dst)
dst[len - 1] = '.'; dst[len - 1] = '.';
} else { } else {
/* null: end of current domain name */ /* NUL: end of current domain name */
if (retpos == 0) { if (retpos == 0) {
/* toplevel? keep going */ /* toplevel? keep going */
crtpos++; crtpos++;
@ -107,38 +105,39 @@ char* FAST_FUNC dname_dec(const uint8_t *cstr, int clen, const char *pre)
*/ */
static uint8_t *convert_dname(const char *src) static uint8_t *convert_dname(const char *src)
{ {
uint8_t c, *res, *lp, *rp; uint8_t c, *res, *lenptr, *dst;
int len; int len;
res = xmalloc(strlen(src) + 2); res = xmalloc(strlen(src) + 2);
rp = lp = res; dst = lenptr = res;
rp++; dst++;
for (;;) { for (;;) {
c = (uint8_t)*src++; c = (uint8_t)*src++;
if (c == '.' || c == '\0') { /* end of label */ if (c == '.' || c == '\0') { /* end of label */
len = rp - lp - 1; len = dst - lenptr - 1;
/* label too long, too short, or two '.'s in a row? abort */ /* label too long, too short, or two '.'s in a row? abort */
if (len > NS_MAXLABEL || len == 0 || (c == '.' && *src == '.')) { if (len > NS_MAXLABEL || len == 0 || (c == '.' && *src == '.')) {
free(res); free(res);
return NULL; return NULL;
} }
*lp = len; *lenptr = len;
lp = rp++; if (c == '\0' || *src == '\0') /* "" or ".": end of src */
if (c == '\0' || *src == '\0') /* end of dname */
break; break;
} else { lenptr = dst++;
if (c >= 0x41 && c <= 0x5A) /* uppercase? convert to lower */ continue;
c += 0x20;
*rp++ = c;
} }
if (c >= 'A' && c <= 'Z') /* uppercase? convert to lower */
c += ('a' - 'A');
*dst++ = c;
} }
*lp = 0; if (dst - res >= NS_MAXCDNAME) { /* dname too long? abort */
if (rp - res > NS_MAXCDNAME) { /* dname too long? abort */
free(res); free(res);
return NULL; return NULL;
} }
*dst = 0;
return res; return res;
} }
@ -147,30 +146,35 @@ static uint8_t *convert_dname(const char *src)
static int find_offset(const uint8_t *cstr, int clen, const uint8_t *dname) static int find_offset(const uint8_t *cstr, int clen, const uint8_t *dname)
{ {
const uint8_t *c, *d; const uint8_t *c, *d;
int off, inc; int off;
/* find all labels in cstr */ /* find all labels in cstr */
off = 0; off = 0;
while (off < clen) { while (off < clen) {
c = cstr + off; c = cstr + off;
if ((*c & NS_CMPRSFLGS) == NS_CMPRSFLGS) { /* pointer, skip */ if ((*c & NS_CMPRSFLGS) == NS_CMPRSFLGS) { /* pointer, skip */
off += 2; off += 2;
} else if (*c) { /* label, try matching dname */ continue;
inc = *c + 1; }
if (*c) { /* label, try matching dname */
d = dname; d = dname;
while (*c == *d && memcmp(c + 1, d + 1, *c) == 0) { while (1) {
if (*c == 0) /* match, return offset */ unsigned len1 = *c + 1;
if (memcmp(c, d, len1) != 0)
break;
if (len1 == 1) /* at terminating NUL - match, return offset */
return off; return off;
d += *c + 1; d += len1;
c += *c + 1; c += len1;
if ((*c & NS_CMPRSFLGS) == NS_CMPRSFLGS) /* pointer, jump */ if ((*c & NS_CMPRSFLGS) == NS_CMPRSFLGS) /* pointer, jump */
c = cstr + (((c[0] & 0x3f) << 8) | c[1]); c = cstr + (((c[0] & 0x3f) << 8) | c[1]);
} }
off += inc; off += cstr[off] + 1;
} else { /* null, skip */ continue;
off++;
} }
/* NUL, skip */
off++;
} }
return -1; return -1;
@ -178,7 +182,7 @@ static int find_offset(const uint8_t *cstr, int clen, const uint8_t *dname)
/* computes string to be appended to cstr so that src would be added to /* computes string to be appended to cstr so that src would be added to
* the compression (best case, it's a 2-byte pointer to some offset within * the compression (best case, it's a 2-byte pointer to some offset within
* cstr; worst case, it's all of src, converted to rfc3011 format). * cstr; worst case, it's all of src, converted to <4>host<3>com<0> format).
* The computed string is returned directly; its length is returned via retlen; * The computed string is returned directly; its length is returned via retlen;
* NULL and 0, respectively, are returned if an error occurs. * NULL and 0, respectively, are returned if an error occurs.
*/ */
@ -193,17 +197,19 @@ uint8_t* FAST_FUNC dname_enc(const uint8_t *cstr, int clen, const char *src, int
return NULL; return NULL;
} }
for (d = dname; *d != 0; d += *d + 1) { d = dname;
off = find_offset(cstr, clen, d); while (*d) {
if (off >= 0) { /* found a match, add pointer and terminate string */ if (cstr) {
*d++ = NS_CMPRSFLGS + (off >> 8); off = find_offset(cstr, clen, d);
*d = off; if (off >= 0) { /* found a match, add pointer and return */
break; *d++ = NS_CMPRSFLGS | (off >> 8);
*d = off;
break;
}
} }
d += *d + 1;
} }
*retlen = d - dname + 1; *retlen = d - dname + 1;
return dname; return dname;
} }
#endif /* ENABLE_FEATURE_UDHCP_RFC3397 */