When filling the __res_state compatibiliy struct, a long list of

nameservers could overflow the dns search pointers.  Restrict the
number, size and address family of nameservers in res_init(3).  This
fixes a crash in sendmail.  Only programs that use the bind resolver
internals directly are affected.
OK deraadt@ millert@

1 files changed, 8 insertions, 4 deletions

diff --git a/lib/libc/asr/res_init.c b/lib/libc/asr/res_init.c
index 03ed33562b8..52705658fda 100644
--- a/lib/libc/asr/res_init.c
+++ b/lib/libc/asr/res_init.c
@@ -1,4 +1,4 @@
-/*	$OpenBSD: res_init.c,v 1.6 2015/10/05 02:57:16 guenther Exp $	*/
+/*	$OpenBSD: res_init.c,v 1.7 2015/11/05 22:44:37 bluhm Exp $	*/
 /*
  * Copyright (c) 2012 Eric Faurot <eric@openbsd.org>
  *
@@ -39,7 +39,7 @@ res_init(void)
 {
 	_THREAD_PRIVATE_MUTEX(init);
 	struct asr_ctx	*ac;
-	int i;
+	int i, j;
 
 	ac = _asr_use_resolver(NULL);
 
@@ -58,9 +58,13 @@ res_init(void)
 			strlcpy(_res.lookups, ac->ac_db, sizeof(_res.lookups));
 
 		_res.nscount = ac->ac_nscount;
-		for (i = 0; i < ac->ac_nscount; i++) {
-			memcpy(&_res.nsaddr_list[i], ac->ac_ns[i],
+		for (i = 0, j = 0; i < ac->ac_nscount && j < MAXNS; i++) {
+			if (ac->ac_ns[i]->sa_family != AF_INET ||
+			    ac->ac_ns[i]->sa_len > sizeof(_res.nsaddr_list[j]))
+				continue;
+			memcpy(&_res.nsaddr_list[j], ac->ac_ns[i],
 			    ac->ac_ns[i]->sa_len);
+			j++;
 		}
 		_res.options |= RES_INIT;
 	}