Fix OOB read in DNS resolver The remote server specifies resplen, the length of the response it intends to send. anssiz represents the size of the destination buffer. If the reported resplen is larger than the anssiz, the code correctly only reads up to anssiz bytes, but returns resplen. so later functions will access far out of bounds. The fix ensures that the length of send_vc return does not exceed the buffer size. Bug: 161362564 Test: build, flash, boot Test: atest netd_integration_test Merged-In: Id4b5df1be4652e4623847b0b0bad0af65b80fdd5 Change-Id: Id4b5df1be4652e4623847b0b0bad0af65b80fdd5

commit: 43264bc36557db9a281b321aab16e574401dfddc [log] [tgz]
author: Ken Chen <cken@google.com> Fri Aug 07 19:04:25 2020 +0800
committer: Ken Chen <cken@google.com> Fri Aug 07 20:19:43 2020 +0800
tree: 7b95545601c687451e6a09f49b7e9f78b3be9a9e
parent: dad73ef232034dd0f4f46bda90c74e8727d840cc [diff]
diff --git a/libc/dns/resolv/res_send.c b/libc/dns/resolv/res_send.c
index 18bb752..81b42a6 100644
--- a/libc/dns/resolv/res_send.c
+++ b/libc/dns/resolv/res_send.c

@@ -950,6 +950,8 @@
 			else
 				break;
 		}
+		// return size should never exceed container size
+		resplen = anssiz;
 	}
 	/*
 	 * If the calling applicating has bailed out of
@@ -962,7 +964,7 @@
 		DprintQ((statp->options & RES_DEBUG) ||
 			(statp->pfcode & RES_PRF_REPLY),
 			(stdout, ";; old answer (unexpected):\n"),
-			ans, (resplen > anssiz) ? anssiz: resplen);
+			ans, resplen);
 		goto read_len;
 	}
commit	43264bc36557db9a281b321aab16e574401dfddc	[log] [tgz]
author	Ken Chen <cken@google.com>	Fri Aug 07 19:04:25 2020 +0800
committer	Ken Chen <cken@google.com>	Fri Aug 07 20:19:43 2020 +0800
tree	7b95545601c687451e6a09f49b7e9f78b3be9a9e
parent	dad73ef232034dd0f4f46bda90c74e8727d840cc [diff]