diff options
author | Poul Thomas Lomholt <pt@lomholt.com> | 2012-02-25 22:32:24 +0100 |
---|---|---|
committer | Daniel Stenberg <daniel@haxx.se> | 2012-02-25 22:32:24 +0100 |
commit | 73dc26a9fc09fdce253a299a0144dc7ca6c10bf4 (patch) | |
tree | 0a12b25c421d2bb21bc94193e2e8694f509cf02b /ares_init.c | |
parent | 90a150f0452921448bfd8569974077e38c91dcca (diff) | |
download | c-ares-73dc26a9fc09fdce253a299a0144dc7ca6c10bf4.tar.gz c-ares-73dc26a9fc09fdce253a299a0144dc7ca6c10bf4.tar.bz2 c-ares-73dc26a9fc09fdce253a299a0144dc7ca6c10bf4.zip |
get_iphlpapi_dns_info: fix buffer overrun
I experienced a buffer overrun exception in c-ares on Windows and
tracked it down to be an error in the calculation of the 'left' variable
in get_iphlpapi_dns_info().
I changed the variable type of 'left' to a _signed_ type because of the
subtraction arithmetic; not sure if a long is the best choice
Diffstat (limited to 'ares_init.c')
-rw-r--r-- | ares_init.c | 6 |
1 files changed, 3 insertions, 3 deletions
diff --git a/ares_init.c b/ares_init.c index d18f97e..65d53a3 100644 --- a/ares_init.c +++ b/ares_init.c @@ -612,7 +612,7 @@ static int get_iphlpapi_dns_info (char *ret_buf, size_t ret_size) { const size_t ipv4_size = INET_ADDRSTRLEN + 1; /* +1 for ',' at end */ const size_t ipv6_size = INET6_ADDRSTRLEN + 12; /* +12 for "%0123456789," at end */ - size_t left = ret_size; + long left = ret_size; char *ret = ret_buf; int count = 0; @@ -687,7 +687,7 @@ static int get_iphlpapi_dns_info (char *ret_buf, size_t ret_size) ret[ stringlen ] = ','; ret[ stringlen + 1 ] = '\0'; ret += stringlen + 1; - left -= ret - ret_buf; + left -= stringlen + 1; ++count; } else if( pGenericAddr->sa_family == AF_INET6 && left > ipv6_size ) @@ -702,7 +702,7 @@ static int get_iphlpapi_dns_info (char *ret_buf, size_t ret_size) ret[ stringlen ] = ','; ret[ stringlen + 1 ] = '\0'; ret += stringlen + 1; - left -= ret - ret_buf; + left -= stringlen + 1; ++count; /* NB on Windows this also returns stuff in the fec0::/10 range, |