Fix integer shift overflow if both tcp_socket and udp_socket are set

The problem occurs if at the start of the loop the sockindex is at the last valid ARES_GETSOCK_MAXNUM position. If then both udp_socket and tcp_socket are valid, sockindex gets incremented for UDP first and points one entry behind the array for the tcp block. So the fix is to check after every increment of sockindex if it is still valid. Fix Coverity error CID 56878 Signed-off-by: Gregor Jasny <gjasny@googlemail.com>
2014-09-28 22:19:24 +02:00 · 2014-09-28 22:19:24 +02:00 · 7db1afd38f
parent 13dc4800b2
commit 7db1afd38f
1 changed files with 3 additions and 5 deletions
--- a/ares_getsock.c
+++ b/ares_getsock.c
@ -30,9 +30,7 @@ int ares_getsock(ares_channel channel,
  /* Are there any active queries? */
  int active_queries = !ares__is_list_empty(&(channel->all_queries));

-  for (i = 0;
-       (i < channel->nservers) && (sockindex < ARES_GETSOCK_MAXNUM);
-       i++)
+  for (i = 0; i < channel->nservers; i++)
    {
      server = &channel->servers[i];
      /* We only need to register interest in UDP sockets if we have
@ -40,7 +38,7 @@ int ares_getsock(ares_channel channel,
       */
      if (active_queries && server->udp_socket != ARES_SOCKET_BAD)
        {
-          if(sockindex >= numsocks)
+          if(sockindex >= numsocks || sockindex >= ARES_GETSOCK_MAXNUM)
            break;
          socks[sockindex] = server->udp_socket;
          bitmap |= ARES_GETSOCK_READABLE(setbits, sockindex);
@ -52,7 +50,7 @@ int ares_getsock(ares_channel channel,
       */
      if (server->tcp_socket != ARES_SOCKET_BAD)
       {
-         if(sockindex >= numsocks)
+         if(sockindex >= numsocks || sockindex >= ARES_GETSOCK_MAXNUM)
           break;
         socks[sockindex] = server->tcp_socket;
         bitmap |= ARES_GETSOCK_READABLE(setbits, sockindex);