Index: squid/lib/rfc1035.c diff -c squid/lib/rfc1035.c:1.22.2.6 squid/lib/rfc1035.c:1.22.2.7 *** squid/lib/rfc1035.c:1.22.2.6 Sun Jan 16 19:00:30 2005 --- squid/lib/rfc1035.c Sun Jan 16 19:46:29 2005 *************** *** 299,305 **** * Returns 0 (success) or 1 (error) */ static int ! rfc1035NameUnpack(const char *buf, size_t sz, off_t * off, char *name, size_t ns, int rdepth) { off_t no = 0; unsigned char c; --- 299,305 ---- * Returns 0 (success) or 1 (error) */ static int ! rfc1035NameUnpack(const char *buf, size_t sz, off_t * off, unsigned short *rdlength, char *name, size_t ns, int rdepth) { off_t no = 0; unsigned char c; *************** *** 324,330 **** /* Make sure the pointer is inside this message */ if (ptr>= sz) return 1; ! return rfc1035NameUnpack(buf, sz, &ptr, name + no, ns - no, rdepth + 1); } else if (c> RFC1035_MAXLABELSZ) { /* * "(The 10 and 01 combinations are reserved for future use.)" --- 324,330 ---- /* Make sure the pointer is inside this message */ if (ptr>= sz) return 1; ! return rfc1035NameUnpack(buf, sz, &ptr, rdlength, name + no, ns - no, rdepth + 1); } else if (c> RFC1035_MAXLABELSZ) { /* * "(The 10 and 01 combinations are reserved for future use.)" *************** *** 343,348 **** --- 343,350 ---- (*off) += len; no += len; *(name + (no++)) = '.'; + if (rdlength) + *rdlength += len + 1; } } while (c> 0 && no < ns); if (no) *************** *** 369,376 **** { unsigned short s; unsigned int i; off_t rdata_off; ! if (rfc1035NameUnpack(buf, sz, off, RR->name, RFC1035_MAXHOSTNAMESZ, 0)) { RFC1035_UNPACK_DEBUG; memset(RR, '0円', sizeof(*RR)); return 1; --- 371,379 ---- { unsigned short s; unsigned int i; + unsigned short rdlength; off_t rdata_off; ! if (rfc1035NameUnpack(buf, sz, off, NULL, RR->name, RFC1035_MAXHOSTNAMESZ, 0)) { RFC1035_UNPACK_DEBUG; memset(RR, '0円', sizeof(*RR)); return 1; *************** *** 395,401 **** RR->ttl = ntohl(i); memcpy(&s, buf + (*off), sizeof(s)); (*off) += sizeof(s); ! if ((*off) + ntohs(s)> sz) { /* * We got a truncated packet. 'dnscache' truncates UDP * replies at 512 octets, as per RFC 1035. --- 398,405 ---- RR->ttl = ntohl(i); memcpy(&s, buf + (*off), sizeof(s)); (*off) += sizeof(s); ! rdlength = ntohs(s); ! if ((*off) + rdlength> sz) { /* * We got a truncated packet. 'dnscache' truncates UDP * replies at 512 octets, as per RFC 1035. *************** *** 404,434 **** memset(RR, '0円', sizeof(*RR)); return 1; } ! RR->rdlength = ntohs(s); switch (RR->type) { case RFC1035_TYPE_PTR: RR->rdata = malloc(RFC1035_MAXHOSTNAMESZ); rdata_off = *off; ! if (rfc1035NameUnpack(buf, sz, &rdata_off, RR->rdata, RFC1035_MAXHOSTNAMESZ, 0)) return 1; ! if (rdata_off != ((*off) + RR->rdlength)) { /* * This probably doesn't happen for valid packets, but * I want to make sure that NameUnpack doesn't go beyond * the RDATA area. */ RFC1035_UNPACK_DEBUG; memset(RR, '0円', sizeof(*RR)); return 1; } break; case RFC1035_TYPE_A: default: ! RR->rdata = malloc(RR->rdlength); ! memcpy(RR->rdata, buf + (*off), RR->rdlength); break; } ! (*off) += RR->rdlength; assert((*off) <= sz); return 0; } --- 408,440 ---- memset(RR, '0円', sizeof(*RR)); return 1; } ! RR->rdlength = rdlength; switch (RR->type) { case RFC1035_TYPE_PTR: RR->rdata = malloc(RFC1035_MAXHOSTNAMESZ); rdata_off = *off; ! RR->rdlength = 0; /* Filled in by rfc1035NameUnpack */ ! if (rfc1035NameUnpack(buf, sz, &rdata_off, &RR->rdlength, RR->rdata, RFC1035_MAXHOSTNAMESZ, 0)) return 1; ! if (rdata_off != ((*off) + rdlength)) { /* * This probably doesn't happen for valid packets, but * I want to make sure that NameUnpack doesn't go beyond * the RDATA area. */ RFC1035_UNPACK_DEBUG; + free(RR->rdata); memset(RR, '0円', sizeof(*RR)); return 1; } break; case RFC1035_TYPE_A: default: ! RR->rdata = malloc(rdlength); ! memcpy(RR->rdata, buf + (*off), rdlength); break; } ! (*off) += rdlength; assert((*off) <= sz); return 0; }

AltStyle によって変換されたページ (->オリジナル) /