diff options
author | Daniel Veillard <veillard@src.gnome.org> | 2004-10-27 09:39:50 +0000 |
---|---|---|
committer | Daniel Veillard <veillard@src.gnome.org> | 2004-10-27 09:39:50 +0000 |
commit | 8e2c9792e923c95a4d353cbc0bb1146413b60168 (patch) | |
tree | 56ec6c65ae156086105bc87f73401c887f6f53fb /nanohttp.c | |
parent | 95ddcd326694de324a41a73d407d72604dd746d1 (diff) | |
download | libxml2-8e2c9792e923c95a4d353cbc0bb1146413b60168.tar.gz |
second part of the security fix for xmlNanoFTPConnect() and
* nanoftp.c nanohttp.c: second part of the security fix for
xmlNanoFTPConnect() and xmlNanoHTTPConnectHost().
Daniel
Diffstat (limited to 'nanohttp.c')
-rw-r--r-- | nanohttp.c | 18 |
1 files changed, 18 insertions, 0 deletions
@@ -1072,11 +1072,21 @@ xmlNanoHTTPConnectHost(const char *host, int port) for (res = result; res; res = res->ai_next) { if (res->ai_family == AF_INET || res->ai_family == AF_INET6) { if (res->ai_family == AF_INET6) { + if (res->ai_addrlen > sizeof(sockin6)) { + __xmlIOErr(XML_FROM_HTTP, 0, "address size mismatch\n"); + freeaddrinfo (result); + return (-1); + } memcpy (&sockin6, res->ai_addr, res->ai_addrlen); sockin6.sin6_port = htons (port); addr = (struct sockaddr *)&sockin6; } else { + if (res->ai_addrlen > sizeof(sockin)) { + __xmlIOErr(XML_FROM_HTTP, 0, "address size mismatch\n"); + freeaddrinfo (result); + return (-1); + } memcpy (&sockin, res->ai_addr, res->ai_addrlen); sockin.sin_port = htons (port); addr = (struct sockaddr *)&sockin; @@ -1141,6 +1151,10 @@ xmlNanoHTTPConnectHost(const char *host, int port) for (i = 0; h->h_addr_list[i]; i++) { if (h->h_addrtype == AF_INET) { /* A records (IPv4) */ + if ((unsigned int) h->h_length > sizeof(ia)) { + __xmlIOErr(XML_FROM_HTTP, 0, "address size mismatch\n"); + return (-1); + } memcpy (&ia, h->h_addr_list[i], h->h_length); sockin.sin_family = h->h_addrtype; sockin.sin_addr = ia; @@ -1149,6 +1163,10 @@ xmlNanoHTTPConnectHost(const char *host, int port) #ifdef SUPPORT_IP6 } else if (have_ipv6 () && (h->h_addrtype == AF_INET6)) { /* AAAA records (IPv6) */ + if ((unsigned int) h->h_length > sizeof(ia6)) { + __xmlIOErr(XML_FROM_HTTP, 0, "address size mismatch\n"); + return (-1); + } memcpy (&ia6, h->h_addr_list[i], h->h_length); sockin6.sin6_family = h->h_addrtype; sockin6.sin6_addr = ia6; |