Synopsis: NIS hostname buffer overrun.

Synopsis: NIS hostname buffer overrun.
NetBSD versions: All
Thanks to: Itojun
Reported in NetBSD Security Advisory: SA2000-012

--- lib/libc/net/gethnamaddr.c 2000/07/07 11:03:38 1.35
+++ lib/libc/net/gethnamaddr.c 2000/07/30 05:44:36 1.36
@@ -1272,14 +1272,14 @@
* XXX: maybe support IPv6 parsing, based on 'af' setting
*/
nextline:
+ /* check for host_addrs overflow */
+ if (buf >= &host_addrs[sizeof(host_addrs) / sizeof(host_addrs[0])])
+ goto done;
+
more = 0;
cp = strpbrk(p, " \t");
- if (cp == NULL) {
- if (host.h_name == NULL)
- return (NULL);
- else
- goto done;
- }
+ if (cp == NULL)
+ goto done;
*cp++ = '\0';

*hap++ = (char *)(void *)buf;
@@ -1320,6 +1320,8 @@
*cp++ = '\0';
}
done:
+ if (host.h_name == NULL)
+ return (NULL);
*q = NULL;
*hap = NULL;
return (&host);