dns_resolver: assure that dns_query() result is null-terminated
authorManuel Schölling <manuel.schoelling@gmx.de>
Sat, 7 Jun 2014 21:57:25 +0000 (23:57 +0200)
committerBen Hutchings <ben@decadent.org.uk>
Wed, 6 Aug 2014 17:07:39 +0000 (18:07 +0100)
[ Upstream commit 84a7c0b1db1c17d5ded8d3800228a608e1070b40 ]

dns_query() credulously assumes that keys are null-terminated and
returns a copy of a memory block that is off by one.

Signed-off-by: Manuel Schölling <manuel.schoelling@gmx.de>
Signed-off-by: David S. Miller <davem@davemloft.net>
Signed-off-by: Ben Hutchings <ben@decadent.org.uk>
net/dns_resolver/dns_query.c

index c32be29..ede0e2d 100644 (file)
@@ -150,7 +150,9 @@ int dns_query(const char *type, const char *name, size_t namelen,
        if (!*_result)
                goto put;
 
        if (!*_result)
                goto put;
 
-       memcpy(*_result, upayload->data, len + 1);
+       memcpy(*_result, upayload->data, len);
+       *_result[len] = '\0';
+
        if (_expiry)
                *_expiry = rkey->expiry;
 
        if (_expiry)
                *_expiry = rkey->expiry;