rainlance/c-ares
1
0
Fork 0
mirror of https://frontier.innolan.net/rainlance/c-ares.git synced 2025-10-06 13:29:42 +00:00
Code Releases Activity

get_iphlpapi_dns_info: fix buffer overrun

Browse Source 
I experienced a buffer overrun exception in c-ares on Windows and
tracked it down to be an error in the calculation of the 'left' variable
in get_iphlpapi_dns_info().

I changed the variable type of 'left' to a _signed_ type because of the
subtraction arithmetic; not sure if a long is the best choice
This commit is contained in:
Poul Thomas Lomholt
2012-02-25 22:32:24 +01:00
committed by Daniel Stenberg
parent 90a150f045
commit 73dc26a9fc
1 changed files with 3 additions and 3 deletions
Download Patch File Download Diff File Expand all files Collapse all files

6
ares_init.c
View File

@ -612,7 +612,7 @@ static int get_iphlpapi_dns_info (char *ret_buf, size_t ret_size)
{
const size_t ipv4_size = INET_ADDRSTRLEN + 1; /* +1 for ',' at end */
const size_t ipv6_size = INET6_ADDRSTRLEN + 12; /* +12 for "%0123456789," at end */
size_t left = ret_size;
long left = ret_size;
char *ret = ret_buf;
int count = 0;
@ -687,7 +687,7 @@ static int get_iphlpapi_dns_info (char *ret_buf, size_t ret_size)
ret[ stringlen ] = ',';
ret[ stringlen + 1 ] = '\0';
ret += stringlen + 1;
left -= ret - ret_buf;
left -= stringlen + 1;
++count;
}
else if( pGenericAddr->sa_family == AF_INET6 && left > ipv6_size )
@ -702,7 +702,7 @@ static int get_iphlpapi_dns_info (char *ret_buf, size_t ret_size)
ret[ stringlen ] = ',';
ret[ stringlen + 1 ] = '\0';
ret += stringlen + 1;
left -= ret - ret_buf;
left -= stringlen + 1;
++count;
/* NB on Windows this also returns stuff in the fec0::/10 range,