configd-801.10.2.tar.gz

diff --git a/dnsinfo/dnsinfo_copy.c b/dnsinfo/dnsinfo_copy.c
index bd494f36055adb7d018cd878983dcfa8093f5506..004be20f2709701c5df7eeacfe6ff28c3a9d9533 100644 (file)
--- a/dnsinfo/dnsinfo_copy.c
+++ b/dnsinfo/dnsinfo_copy.c
@@ -2,14 +2,14 @@
  * Copyright (c) 2004, 2006, 2008-2013, 2015 Apple Inc. All rights reserved.
  *
  * @APPLE_LICENSE_HEADER_START@
  * Copyright (c) 2004, 2006, 2008-2013, 2015 Apple Inc. All rights reserved.
  *
  * @APPLE_LICENSE_HEADER_START@

- * 
+ *

  * This file contains Original Code and/or Modifications of Original Code
  * as defined in and that are subject to the Apple Public Source License
  * Version 2.0 (the 'License'). You may not use this file except in
  * compliance with the License. Please obtain a copy of the License at
  * http://www.opensource.apple.com/apsl/ and read it before using this
  * file.
  * This file contains Original Code and/or Modifications of Original Code
  * as defined in and that are subject to the Apple Public Source License
  * Version 2.0 (the 'License'). You may not use this file except in
  * compliance with the License. Please obtain a copy of the License at
  * http://www.opensource.apple.com/apsl/ and read it before using this
  * file.

- * 
+ *

  * The Original Code and all software distributed under the License are
  * distributed on an 'AS IS' basis, WITHOUT WARRANTY OF ANY KIND, EITHER
  * EXPRESS OR IMPLIED, AND APPLE HEREBY DISCLAIMS ALL SUCH WARRANTIES,
  * The Original Code and all software distributed under the License are
  * distributed on an 'AS IS' basis, WITHOUT WARRANTY OF ANY KIND, EITHER
  * EXPRESS OR IMPLIED, AND APPLE HEREBY DISCLAIMS ALL SUCH WARRANTIES,


@@ -17,7 +17,7 @@
  * FITNESS FOR A PARTICULAR PURPOSE, QUIET ENJOYMENT OR NON-INFRINGEMENT.
  * Please see the License for the specific language governing rights and
  * limitations under the License.
  * FITNESS FOR A PARTICULAR PURPOSE, QUIET ENJOYMENT OR NON-INFRINGEMENT.
  * Please see the License for the specific language governing rights and
  * limitations under the License.

- * 
+ *

  * @APPLE_LICENSE_HEADER_END@
  */
 
  * @APPLE_LICENSE_HEADER_END@
  */
 


@@ -79,6 +79,7 @@ dns_config_t *
 dns_configuration_copy()
 {
        uint8_t                 *buf            = NULL;
 dns_configuration_copy()
 {
        uint8_t                 *buf            = NULL;

+       size_t                  bufLen;

        dns_config_t            *config         = NULL;
        static const char       *proc_name      = NULL;
        xpc_object_t            reqdict;
        dns_config_t            *config         = NULL;
        static const char       *proc_name      = NULL;
        xpc_object_t            reqdict;


@@ -90,13 +91,15 @@ dns_configuration_copy()
                        static const char       *service_name   = DNSINFO_SERVICE_NAME;
 
                        dispatch_once(&once, ^{
                        static const char       *service_name   = DNSINFO_SERVICE_NAME;
 
                        dispatch_once(&once, ^{

+#if    DEBUG

                                const char      *name;
 
                                // get [XPC] service name
                                name = getenv(service_name);
                                const char      *name;
 
                                // get [XPC] service name
                                name = getenv(service_name);

-                               if ((name != NULL) && (issetugid() == 0)) {
+                               if (name != NULL) {

                                        service_name = strdup(name);
                                }
                                        service_name = strdup(name);
                                }

+#endif // DEBUG

 
                                // get process name
                                proc_name = getprogname();
 
                                // get process name
                                proc_name = getprogname();


@@ -140,16 +143,43 @@ dns_configuration_copy()
                if ((dataRef != NULL) &&
                    ((dataLen >= sizeof(_dns_config_buf_t)) && (dataLen <= DNS_CONFIG_BUF_MAX))) {
                        _dns_config_buf_t       *config         = (_dns_config_buf_t *)(void *)dataRef;
                if ((dataRef != NULL) &&
                    ((dataLen >= sizeof(_dns_config_buf_t)) && (dataLen <= DNS_CONFIG_BUF_MAX))) {
                        _dns_config_buf_t       *config         = (_dns_config_buf_t *)(void *)dataRef;

-                       uint32_t                n_padding       = ntohl(config->n_padding);
-
-                       if (n_padding <= (DNS_CONFIG_BUF_MAX - dataLen)) {
-                               size_t        len;
-
-                               len = dataLen + n_padding;
-                               buf = malloc(len);
-                               bcopy((void *)dataRef, buf, dataLen);
-                               bzero(&buf[dataLen], n_padding);
-                       }
+                       size_t                  configLen;
+                       uint32_t                n_attribute     = ntohl(config->n_attribute);
+                       uint32_t                n_padding       = ntohl(config->n_padding);
+
+                       /*
+                        * Check that the size of the configuration header plus the size of the
+                        * attribute data matches the size of the configuration buffer.
+                        *
+                        * If the sizes are different, something that should NEVER happen, CRASH!
+                        */
+                       configLen = sizeof(_dns_config_buf_t) + n_attribute;
+                       assert(configLen == dataLen);
+
+                       /*
+                        * Check that the size of the requested padding would not result in our
+                        * allocating a configuration + padding buffer larger than our maximum size.
+                        *
+                        * If the requested padding size is too large, something that should NEVER
+                        * happen, CRASH!
+                        */
+                       assert(n_padding <= (DNS_CONFIG_BUF_MAX - dataLen));
+
+                       /*
+                        * Check that the actual size of the configuration data and any requested
+                        * padding will be less than the maximum possible size of the in-memory
+                        * configuration buffer.
+                        *
+                        * If the length needed is too large, something that should NEVER happen, CRASH!
+                        */
+                       bufLen = dataLen + n_padding;
+                       assert(bufLen <= DNS_CONFIG_BUF_MAX);
+
+                       // allocate a buffer large enough to hold both the configuration
+                       // data and the padding.
+                       buf = malloc(bufLen);
+                       bcopy((void *)dataRef, buf, dataLen);
+                       bzero(&buf[dataLen], n_padding);

                }
 
                xpc_release(reply);
                }
 
                xpc_release(reply);

diff --git a/dnsinfo/dnsinfo_internal.h b/dnsinfo/dnsinfo_internal.h
index 3d695f12a370da1e72150602a19cc397098ed092..1359cde4c426459f87986e2832f0794ecc4e370b 100644 (file)
--- a/dnsinfo/dnsinfo_internal.h
+++ b/dnsinfo/dnsinfo_internal.h
@@ -93,10 +93,10 @@ _dns_configuration_expand_resolver(_dns_resolver_buf_t *buf, uint32_t n_buf, voi
 
        resolver->n_nameserver = ntohl(resolver->n_nameserver);
        if (!__dns_configuration_expand_add_list(padding,
 
        resolver->n_nameserver = ntohl(resolver->n_nameserver);
        if (!__dns_configuration_expand_add_list(padding,

-                     n_padding,
-                     resolver->n_nameserver,
-                     sizeof(DNS_PTR(struct sockaddr *, x)),
-                     (void **)&resolver->nameserver)) {
+                                                n_padding,
+                                                resolver->n_nameserver,
+                                                sizeof(DNS_PTR(struct sockaddr *, x)),
+                                                (void **)&resolver->nameserver)) {

                goto error;
        }
 
                goto error;
        }
 


@@ -108,10 +108,10 @@ _dns_configuration_expand_resolver(_dns_resolver_buf_t *buf, uint32_t n_buf, voi
 
        resolver->n_search = ntohl(resolver->n_search);
        if (!__dns_configuration_expand_add_list(padding,
 
        resolver->n_search = ntohl(resolver->n_search);
        if (!__dns_configuration_expand_add_list(padding,

-                     n_padding,
-                     resolver->n_search,
-                     sizeof(DNS_PTR(char *, x)),
-                     (void **)&resolver->search)) {
+                                                n_padding,
+                                                resolver->n_search,
+                                                sizeof(DNS_PTR(char *, x)),
+                                                (void **)&resolver->search)) {

                goto error;
        }
 
                goto error;
        }
 


@@ -119,10 +119,10 @@ _dns_configuration_expand_resolver(_dns_resolver_buf_t *buf, uint32_t n_buf, voi
 
        resolver->n_sortaddr = ntohl(resolver->n_sortaddr);
        if (!__dns_configuration_expand_add_list(padding,
 
        resolver->n_sortaddr = ntohl(resolver->n_sortaddr);
        if (!__dns_configuration_expand_add_list(padding,

-                     n_padding,
-                     resolver->n_sortaddr,
-                     sizeof(DNS_PTR(dns_sortaddr_t *, x)),
-                     (void **)&resolver->sortaddr)) {
+                                                n_padding,
+                                                resolver->n_sortaddr,
+                                                sizeof(DNS_PTR(dns_sortaddr_t *, x)),
+                                                (void **)&resolver->sortaddr)) {

                goto error;
        }
 
                goto error;
        }
 


@@ -237,44 +237,45 @@ _dns_configuration_expand_config(_dns_config_buf_t *buf)
        int32_t                 n_service_specific_resolver     = 0;
        void                    *padding;
 
        int32_t                 n_service_specific_resolver     = 0;
        void                    *padding;
 

-       // establish padding
+       n_attribute = ntohl(buf->n_attribute);  // pre-validated (or known OK) at entry
+       n_padding   = ntohl(buf->n_padding);    // pre-validated (or known OK) at entry

 
 

-       padding   = &buf->attribute[ntohl(buf->n_attribute)];
-       n_padding = ntohl(buf->n_padding);
+       // establish the start of padding to be after the last attribute
+
+       padding = &buf->attribute[n_attribute];

 
        // initialize resolver lists
 
        config->n_resolver = ntohl(config->n_resolver);
        if (!__dns_configuration_expand_add_list(&padding,
 
        // initialize resolver lists
 
        config->n_resolver = ntohl(config->n_resolver);
        if (!__dns_configuration_expand_add_list(&padding,

-                     &n_padding,
-                     config->n_resolver,
-                     sizeof(DNS_PTR(dns_resolver_t *, x)),
-                     (void **)&config->resolver)) {
+                                                &n_padding,
+                                                config->n_resolver,
+                                                sizeof(DNS_PTR(dns_resolver_t *, x)),
+                                                (void **)&config->resolver)) {

                goto error;
        }
 
        config->n_scoped_resolver = ntohl(config->n_scoped_resolver);
        if (!__dns_configuration_expand_add_list(&padding,
                goto error;
        }
 
        config->n_scoped_resolver = ntohl(config->n_scoped_resolver);
        if (!__dns_configuration_expand_add_list(&padding,

-                     &n_padding,
-                     config->n_scoped_resolver,
-                     sizeof(DNS_PTR(dns_resolver_t *, x)),
-                     (void **)&config->scoped_resolver)) {
+                                                &n_padding,
+                                                config->n_scoped_resolver,
+                                                sizeof(DNS_PTR(dns_resolver_t *, x)),
+                                                (void **)&config->scoped_resolver)) {

                goto error;
        }
 
        config->n_service_specific_resolver = ntohl(config->n_service_specific_resolver);
        if (!__dns_configuration_expand_add_list(&padding,
                goto error;
        }
 
        config->n_service_specific_resolver = ntohl(config->n_service_specific_resolver);
        if (!__dns_configuration_expand_add_list(&padding,

-                     &n_padding,
-                     config->n_service_specific_resolver,
-                     sizeof(DNS_PTR(dns_resolver_t *, x)),
-                     (void **)&config->service_specific_resolver)) {
+                                                &n_padding,
+                                                config->n_service_specific_resolver,
+                                                sizeof(DNS_PTR(dns_resolver_t *, x)),
+                                                (void **)&config->service_specific_resolver)) {

                goto error;
        }
 
        // process configuration buffer "attribute" data
 
                goto error;
        }
 
        // process configuration buffer "attribute" data
 

-       n_attribute = ntohl(buf->n_attribute);
-       attribute   = (dns_attribute_t *)(void *)&buf->attribute[0];
+       attribute = (dns_attribute_t *)(void *)&buf->attribute[0];

 
        while (n_attribute >= sizeof(dns_attribute_t)) {
                uint32_t        attribute_length        = ntohl(attribute->length);
 
        while (n_attribute >= sizeof(dns_attribute_t)) {
                uint32_t        attribute_length        = ntohl(attribute->length);