commit 0967fc7e59cda0ea2561b0eaa58ed842da7c0eb9
author Pierre Imai <imaipi@google.com> Mon Feb 29 16:31:55 2016 +0900
committer Pierre Imai <imaipi@google.com> Mon Feb 29 16:50:38 2016 +0900
tree 2c7ec97be03c6b1b658cd6739960d0b359375c2d
parent 17866357c5437d1b43b9f4b7411e48d9c9c38bec

Copy the entire zero-separated DNS seach domain string.

The DNS search string contains zeros as domain separator. The resolver
code erroneously used strlcpy(), which resulted in only the first domain
to be copied. The code uses pointers into this string to access the
individual domains. Since the structure is zero-initialized, this bug only
resulted in zero-length domains instead of accessing unitialized memory.

BUG: 27312811
Change-Id: Ia9d066c405dfcc5e82d6766d93ead2ce574e7b0d

libc/dns/resolv/res_cache.c

diff --git a/libc/dns/resolv/res_cache.c b/libc/dns/resolv/res_cache.c
index 5a78450..ae8debb 100644
--- a/libc/dns/resolv/res_cache.c
+++ b/libc/dns/resolv/res_cache.c
@@ -2093,7 +2093,8 @@
         statp->nscount = nserv;
         // now do search domains.  Note that we cache the offsets as this code runs alot
         // but the setting/offset-computer only runs when set/changed
-        strlcpy(statp->defdname, info->defdname, sizeof(statp->defdname));
+        // WARNING: Don't use str*cpy() here, this string contains zeroes.
+        memcpy(statp->defdname, info->defdname, sizeof(statp->defdname));
         register char **pp = statp->dnsrch;
         register int *p = info->dnsrch_offset;
         while (pp < statp->dnsrch + MAXDNSRCH && *p != -1) {