diff options
| author | Werner Koch <wk@gnupg.org> | 2015-02-11 10:27:57 +0100 |
|---|---|---|
| committer | Werner Koch <wk@gnupg.org> | 2015-02-11 10:28:25 +0100 |
| commit | 2183683bd633818dd031b090b5530951de76f392 (patch) | |
| tree | af283f4f329a140b76df6f7e83dce7ebb07aabb8 /common/srv.c | |
| parent | gpg: Prevent an invalid memory read using a garbled keyring. (diff) | |
| download | gnupg2-2183683bd633818dd031b090b5530951de76f392.tar.xz gnupg2-2183683bd633818dd031b090b5530951de76f392.zip | |
Use inline functions to convert buffer data to scalars.
* common/host2net.h (buf16_to_ulong, buf16_to_uint): New.
(buf16_to_ushort, buf16_to_u16): New.
(buf32_to_size_t, buf32_to_ulong, buf32_to_uint, buf32_to_u32): New.
--
Commit 91b826a38880fd8a989318585eb502582636ddd8 was not enough to
avoid all sign extension on shift problems. Hanno Böck found a case
with an invalid read due to this problem. To fix that once and for
all almost all uses of "<< 24" and "<< 8" are changed by this patch to
use an inline function from host2net.h.
Signed-off-by: Werner Koch <wk@gnupg.org>
Diffstat (limited to 'common/srv.c')
| -rw-r--r-- | common/srv.c | 28 |
1 files changed, 15 insertions, 13 deletions
diff --git a/common/srv.c b/common/srv.c index 7a0c42d4f..2107aa528 100644 --- a/common/srv.c +++ b/common/srv.c @@ -48,6 +48,7 @@ #endif #include "util.h" +#include "host2net.h" #include "srv.h" /* Not every installation has gotten around to supporting SRVs @@ -184,27 +185,28 @@ getsrv (const char *name,struct srventry **list) if((emsg-pt)<16) goto fail; - type=*pt++ << 8; - type|=*pt++; + type = buf16_to_u16 (pt); + pt += 2; /* We asked for SRV and got something else !? */ if(type!=T_SRV) goto fail; - class=*pt++ << 8; - class|=*pt++; + class = buf16_to_u16 (pt); + pt += 2; /* We asked for IN and got something else !? */ if(class!=C_IN) goto fail; - pt+=4; /* ttl */ - dlen=*pt++ << 8; - dlen|=*pt++; - srv->priority=*pt++ << 8; - srv->priority|=*pt++; - srv->weight=*pt++ << 8; - srv->weight|=*pt++; - srv->port=*pt++ << 8; - srv->port|=*pt++; + pt += 4; /* ttl */ + dlen = buf16_to_u16 (pt); + pt += 2; + + srv->priority = buf16_to_ushort (pt); + pt += 2; + srv->weight = buf16_to_ushort (pt); + pt += 2; + srv->port = buf16_to_ushort (pt); + pt += 2; /* Get the name. 2782 doesn't allow name compression, but dn_expand still works to pull the name out of the |