Author: tfaber Date: Wed Jun 20 00:57:53 2012 New Revision: 56756

URL: http://svn.reactos.org/svn/reactos?rev=56756&view=rev Log: [WS2_32] - Do not manually allocate an incompatible hostent structure in FindEntryInHosts. Use populate_hostent instead. Fixes buffer overflow in name resolution. See issue #7126 for more details.

Modified: trunk/reactos/dll/win32/ws2_32/include/ws2_32.h trunk/reactos/dll/win32/ws2_32/misc/ns.c

Modified: trunk/reactos/dll/win32/ws2_32/include/ws2_32.h URL: http://svn.reactos.org/svn/reactos/trunk/reactos/dll/win32/ws2_32/include/ws... ============================================================================== --- trunk/reactos/dll/win32/ws2_32/include/ws2_32.h [iso-8859-1] (original) +++ trunk/reactos/dll/win32/ws2_32/include/ws2_32.h [iso-8859-1] Wed Jun 20 00:57:53 2012 @@ -76,7 +76,7 @@

/* ws2_32 internal Functions */ void check_hostent(struct hostent **he); -void populate_hostent(struct hostent *he, char* name, DNS_A_DATA addr); +void populate_hostent(struct hostent *he, char* name, IP4_ADDRESS addr); void free_hostent(struct hostent *he); void free_servent(struct servent* s);

Modified: trunk/reactos/dll/win32/ws2_32/misc/ns.c URL: http://svn.reactos.org/svn/reactos/trunk/reactos/dll/win32/ws2_32/misc/ns.c?... ============================================================================== --- trunk/reactos/dll/win32/ws2_32/misc/ns.c [iso-8859-1] (original) +++ trunk/reactos/dll/win32/ws2_32/misc/ns.c [iso-8859-1] Wed Jun 20 00:57:53 2012 @@ -529,7 +529,7 @@ } }

-void populate_hostent(struct hostent *he, char* name, DNS_A_DATA addr) +void populate_hostent(struct hostent *he, char* name, IP4_ADDRESS addr) { ASSERT(he);

@@ -561,8 +561,8 @@ WS_DbgPrint(MID_TRACE,("he->h_addr_list[0] %x\n", he->h_addr_list[0]));

RtlCopyMemory(he->h_addr_list[0], - &addr.IpAddress, - sizeof(addr.IpAddress)); + &addr, + sizeof(addr));

he->h_addr_list[1] = NULL; } @@ -813,51 +813,12 @@ return NULL; }

- if( !p->Hostent ) - { - p->Hostent = HeapAlloc(GlobalHeap, 0, sizeof(*p->Hostent)); - if( !p->Hostent ) - { - WSASetLastError( WSATRY_AGAIN ); - return NULL; - } - } - - p->Hostent->h_name = HeapAlloc(GlobalHeap, 0, strlen(DnsName)); - if( !p->Hostent->h_name ) - { - WSASetLastError( WSATRY_AGAIN ); - return NULL; - } - - RtlCopyMemory(p->Hostent->h_name, - DnsName, - strlen(DnsName)); - - p->Hostent->h_aliases = HeapAlloc(GlobalHeap, 0, sizeof(char *)); - if( !p->Hostent->h_aliases ) - { - WSASetLastError( WSATRY_AGAIN ); - return NULL; - } - - p->Hostent->h_aliases[0] = 0; - if (strstr(AddressStr, ":")) { DbgPrint("AF_INET6 NOT SUPPORTED!\n"); WSASetLastError(WSAEINVAL); return NULL; } - else - p->Hostent->h_addrtype = AF_INET; - - p->Hostent->h_addr_list = HeapAlloc(GlobalHeap, 0, sizeof(char *)); - if( !p->Hostent->h_addr_list ) - { - WSASetLastError( WSATRY_AGAIN ); - return NULL; - }

Address = inet_addr(AddressStr); if (Address == INADDR_NONE) @@ -866,18 +827,7 @@ return NULL; }

- p->Hostent->h_addr_list[0] = HeapAlloc(GlobalHeap, 0, sizeof(Address)); - if( !p->Hostent->h_addr_list[0] ) - { - WSASetLastError( WSATRY_AGAIN ); - return NULL; - } - - RtlCopyMemory(p->Hostent->h_addr_list[0], - &Address, - sizeof(Address)); - - p->Hostent->h_length = sizeof(Address); + populate_hostent(p->Hostent, DnsName, Address);

return p->Hostent; } @@ -996,7 +946,9 @@ { WS_DbgPrint(MID_TRACE,("populating hostent\n")); WS_DbgPrint(MID_TRACE,("pName is (%s)\n", curr->pName)); - populate_hostent(p->Hostent, (PCHAR)curr->pName, curr->Data.A); + populate_hostent(p->Hostent, + (PCHAR)curr->pName, + curr->Data.A.IpAddress); DnsRecordListFree(dp, DnsFreeRecordList); return p->Hostent; }