commit 12021ce9cf1ec1bc47cded3402ac9a3aa7b9b396
author Josh Gao <jmgao@google.com> Tue Apr 04 00:49:24 2017 +0000
committer android-build-merger <android-build-merger@google.com> Tue Apr 04 00:49:24 2017 +0000
tree d9834f8c67723d7ad25c486f946ade92adeacb81
parent 5ac8755ffe2a908b11972e2c3c8d6c3331fc65aa
parent 1c864b630f0adadcf7ec8df9978366bc61184a7f

Merge "Break android_set_abort_message out of libc_logging."
am: 1c864b630f

Change-Id: I7d8ab343a09a0e2166d0462a3b378257cb837f67

libc/dns/net/getaddrinfo.c

diff --git a/libc/dns/net/getaddrinfo.c b/libc/dns/net/getaddrinfo.c
index 6c26cd3..4215963 100644
--- a/libc/dns/net/getaddrinfo.c
+++ b/libc/dns/net/getaddrinfo.c
@@ -1290,6 +1290,17 @@
 static const char AskedForGot[] =
 	"gethostby*.getanswer: asked for \"%s\", got \"%s\"";
 
+#define BOUNDED_INCR(x) \
+	do { \
+		BOUNDS_CHECK(cp, x); \
+		cp += (x); \
+	} while (/*CONSTCOND*/0)
+
+#define BOUNDS_CHECK(ptr, count) \
+	do { \
+		if (eom - (ptr) < (count)) { h_errno = NO_RECOVERY; return NULL; } \
+	} while (/*CONSTCOND*/0)
+
 static struct addrinfo *
 getanswer(const querybuf *answer, int anslen, const char *qname, int qtype,
     const struct addrinfo *pai)
@@ -1335,7 +1346,8 @@
 	qdcount = ntohs(hp->qdcount);
 	bp = hostbuf;
 	ep = hostbuf + sizeof hostbuf;
-	cp = answer->buf + HFIXEDSZ;
+	cp = answer->buf;
+	BOUNDED_INCR(HFIXEDSZ);
 	if (qdcount != 1) {
 		h_errno = NO_RECOVERY;
 		return (NULL);
@@ -1345,7 +1357,7 @@
 		h_errno = NO_RECOVERY;
 		return (NULL);
 	}
-	cp += n + QFIXEDSZ;
+	BOUNDED_INCR(n + QFIXEDSZ);
 	if (qtype == T_A || qtype == T_AAAA || qtype == T_ANY) {
 		/* res_send() has already verified that the query name is the
 		 * same as the one we sent; this just gets the expanded name
@@ -1370,12 +1382,14 @@
 			continue;
 		}
 		cp += n;			/* name */
+		BOUNDS_CHECK(cp, 3 * INT16SZ + INT32SZ);
 		type = _getshort(cp);
  		cp += INT16SZ;			/* type */
 		class = _getshort(cp);
  		cp += INT16SZ + INT32SZ;	/* class, TTL */
 		n = _getshort(cp);
 		cp += INT16SZ;			/* len */
+		BOUNDS_CHECK(cp, n);
 		if (class != C_IN) {
 			/* XXX - debug? syslog? */
 			cp += n;

libc/dns/net/gethnamaddr.c

diff --git a/libc/dns/net/gethnamaddr.c b/libc/dns/net/gethnamaddr.c
index 42f0d0a..75cb2b3 100644
--- a/libc/dns/net/gethnamaddr.c
+++ b/libc/dns/net/gethnamaddr.c
@@ -186,14 +186,13 @@
 
 #define BOUNDED_INCR(x) \
 	do { \
+		BOUNDS_CHECK(cp, x); \
 		cp += (x); \
-		if (cp > eom) \
-			goto no_recovery; \
 	} while (/*CONSTCOND*/0)
 
 #define BOUNDS_CHECK(ptr, count) \
 	do { \
-		if ((ptr) + (count) > eom) \
+		if (eom - (ptr) < (count)) \
 			goto no_recovery; \
 	} while (/*CONSTCOND*/0)
 

tests/sys_prctl_test.cpp

diff --git a/tests/sys_prctl_test.cpp b/tests/sys_prctl_test.cpp
index 1d80dbc..2123c94 100644
--- a/tests/sys_prctl_test.cpp
+++ b/tests/sys_prctl_test.cpp
@@ -43,7 +43,6 @@
   std::string file_data;
   ASSERT_TRUE(android::base::ReadFileToString("/proc/self/maps", &file_data));
 
-  uintptr_t last_start = 0;
   uintptr_t last_end = 0;
   std::vector<std::string> lines = android::base::Split(file_data, "\n");
   for (size_t i = 0; i < lines.size(); i++) {
@@ -57,7 +56,6 @@
     // This will never fail on the first line, so no need to do any special checking.
     ASSERT_GE(start, last_end)
         << "Overlapping map detected:\n" << lines[i -1] << '\n' << lines[i] << '\n';
-    last_start = start;
     last_end = end;
   }