https://bugs.exim.org/show_bug.cgi?id=1773
Bug ID: 1773
Summary: GETSHORT reading 65535 instead of 4 when running Exim
test suite
Product: Exim
Version: 4.86+ HEAD
Hardware: x86-64
OS: OpenBSD
Status: NEW
Severity: bug
Priority: medium
Component: Networking
Assignee: nigel@???
Reporter: km@???
CC: exim-dev@???
While setting up a new animal for the buildfarm, I discovered that test 0020
segfaulted.
The issue was traced to some code at the and of dns_next_rr() in src/dns.c:
/* Move the pointer past the name and fill in the rest of the data structure
from the following bytes. */
dnss->aptr += namelen;
GETSHORT(dnss->srr.type, dnss->aptr); /* Record type */
dnss->aptr += 2; /* Don't want class */
GETLONG(dnss->srr.ttl, dnss->aptr); /* TTL */
GETSHORT(dnss->srr.size, dnss->aptr); /* Size of data portion */
dnss->srr.data = dnss->aptr; /* The record's data follows */
dnss->aptr += dnss->srr.size; /* Advance to next RR */
Now, what happens is that in some circumstances dnss->srr.size is set to 65535
by GETSHORT (instead of 4) and this causes the process to segfault. Adding this
check after GETSHORT() works around the issue:
if (dnss->srr.size == 65535) dnss->srr.size = 4;
This happens when resolving manyhome.test.ex.
--
You are receiving this mail because:
You are on the CC list for the bug.
