Fix OOB read in DNS resolver
The remote server specifies resplen, the length of the response it
intends to send. anssiz represents the size of the destination buffer.
If the reported resplen is larger than the anssiz, the code correctly
only reads up to anssiz bytes, but returns resplen. so later functions
will access far out of bounds.
The fix ensures that the length of send_vc return does not exceed the
buffer size.
Bug: 161362564
Test: atest pass on HWAddressSanitizer build.
Merged-In: Id4b5df1be4652e4623847b0b0bad0af65b80fdd5
Change-Id: Id4b5df1be4652e4623847b0b0bad0af65b80fdd5
(cherry picked from commit cf6ee247113426ef4e7365a86d00bb5430186802)
(cherry picked from commit 5214c6bebaadfe307579ee930fc650235b157192)
diff --git a/res_send.cpp b/res_send.cpp
index 2db8220..04421c5 100644
--- a/res_send.cpp
+++ b/res_send.cpp
@@ -829,6 +829,9 @@
else
break;
}
+ LOG(WARNING) << __func__ << ": resplen " << resplen << " exceeds buf size " << anssiz;
+ // return size should never exceed container size
+ resplen = anssiz;
}
/*
* If the calling application has bailed out of
@@ -839,7 +842,7 @@
*/
if (hp->id != anhp->id) {
LOG(DEBUG) << __func__ << ": ld answer (unexpected):";
- res_pquery(ans, (resplen > anssiz) ? anssiz : resplen);
+ res_pquery(ans, resplen);
goto read_len;
}