From: Rich Felker <dalias@aerifal.cx>
Date: Mon, 2 Jun 2014 05:31:28 +0000 (-0400)
Subject: fix off-by-one in checking hostname length in new resolver backend
X-Git-Url: http://nsz.repo.hu/git/?a=commitdiff_plain;h=bb9af59bba5b72b90c38d28809c30b31933c64d5;p=musl

fix off-by-one in checking hostname length in new resolver backend

this bug was introduced in the recent resolver overhaul commits. it
likely had visible symptoms. these were probably limited to wrongly
accepting truncated versions of over-long names (vs rejecting them),
as opposed to stack-based overflows or anything more severe, but no
extensive checks were made. there have been no releases where this bug
was present.
---

diff --git a/src/network/lookup_name.c b/src/network/lookup_name.c
index b1f1ffd0..e1b583ee 100644
--- a/src/network/lookup_name.c
+++ b/src/network/lookup_name.c
@@ -14,7 +14,7 @@
 static int is_valid_hostname(const char *host)
 {
 	const unsigned char *s;
-	if (strnlen(host, 255)-1 > 254 || mbstowcs(0, host, 0) > 255) return 0;
+	if (strnlen(host, 256)-1 > 254 || mbstowcs(0, host, 0) > 255) return 0;
 	for (s=(void *)host; *s>=0x80 || *s=='.' || *s=='-' || isalnum(*s); s++);
 	return !*s;
 }
@@ -119,7 +119,7 @@ int __lookup_name(struct address buf[static MAXADDRS], char canon[static 256], c
 	*canon = 0;
 	if (name) {
 		size_t l;
-		if ((l = strnlen(name, 255))-1 > 254)
+		if ((l = strnlen(name, 256))-1 > 254)
 			return EAI_NONAME;
 		memcpy(canon, name, l+1);
 	}