[tor-commits] [tor/master] Another 10363 instance -- this one in the eventdns.c code

commit 6d9c332757c96e691ddeb024bd41035490a505d7 Author: Nick Mathewson nickm@torproject.org Date: Wed Dec 11 15:15:21 2013 -0500

Another 10363 instance -- this one in the eventdns.c code --- changes/bug10363 | 3 +++ src/ext/eventdns.c | 5 +++-- 2 files changed, 6 insertions(+), 2 deletions(-)

diff --git a/changes/bug10363 b/changes/bug10363 index a3c9905..0cdfd9a 100644 --- a/changes/bug10363 +++ b/changes/bug10363 @@ -6,4 +6,7 @@ - Fix another possibly undefined pointer operations in tor_memmem fallback implementation. Another case of bug #10363; bugfix on 0.1.1.1-alpha. + - Fix another possibly undefined pointer operations in the eventdns + fallback implementation. Another case of bug #10363; bugfix on + 0.1.2.1-alpha.

diff --git a/src/ext/eventdns.c b/src/ext/eventdns.c index 66280cc..a64c562 100644 --- a/src/ext/eventdns.c +++ b/src/ext/eventdns.c @@ -842,10 +842,11 @@ name_parse(u8 *packet, int length, int *idx, char *name_out, size_t name_out_len } if (label_len > 63) return -1; if (cp != name_out) { - if (cp + 1 >= end) return -1; + if (cp >= name_out + name_out_len - 1) return -1; *cp++ = '.'; } - if (cp + label_len >= end) return -1; + if (label_len > name_out_len || + cp >= name_out + name_out_len - label_len) return -1; memcpy(cp, packet + j, label_len); cp += label_len; j += label_len;