Fix OOB read in DNS resolver
The remote server specifies resplen, the length of the response it
intends to send. anssiz represents the size of the destination buffer.
If the reported resplen is larger than the anssiz, the code correctly
only reads up to anssiz bytes, but returns resplen. so later functions
will access far out of bounds.
The fix ensures that the length of send_vc return does not exceed the
buffer size.
(Manually backport commit from ag/12280247, since it's different git
project on qt-dev. Use aosp/1302595 as Merged-In tag to avoid conflict)
Bug: 161362564
Test: atest pass
Change-Id: Id4b5df1be4652e4623847b0b0bad0af65b80fdd5
Merged-In: I1ff2dc09f41f76973c5f066b07b15388e722b375
diff --git a/resolv/res_send.cpp b/resolv/res_send.cpp
index d89ad7e..5adf801 100644
--- a/resolv/res_send.cpp
+++ b/resolv/res_send.cpp
@@ -880,6 +880,9 @@
else
break;
}
+ LOG(WARNING) << __func__ << ": resplen " << resplen << " exceeds buf size " << anssiz;
+ // return size should never exceed container size
+ resplen = anssiz;
}
/*
* If the calling application has bailed out of
@@ -890,7 +893,7 @@
*/
if (hp->id != anhp->id) {
LOG(DEBUG) << __func__ << ": ld answer (unexpected):";
- res_pquery(ans, (resplen > anssiz) ? anssiz : resplen);
+ res_pquery(ans, resplen);
goto read_len;
}
diff --git a/server/AndroidTest.xml b/server/AndroidTest.xml
index 2501d78..fbb0be7 100644
--- a/server/AndroidTest.xml
+++ b/server/AndroidTest.xml
@@ -14,6 +14,7 @@
limitations under the License.
-->
<configuration description="Config for netd_unit_test">
+ <target_preparer class="com.android.tradefed.targetprep.RootTargetPreparer"/>
<target_preparer class="com.android.tradefed.targetprep.PushFilePreparer">
<option name="cleanup" value="true" />
<option name="push" value="netd_unit_test->/data/local/tmp/netd_unit_test" />
