From: Apple <opensource@apple.com>
Date: Mon, 19 Oct 2015 01:18:18 +0000 (+0000)
Subject: configd-801.10.2.tar.gz
X-Git-Tag: os-x-10111^0
X-Git-Url: https://git.saurik.com/apple/configd.git/commitdiff_plain/a7855bcc03f13be3f338fc40dee5ef75af03f3f3

configd-801.10.2.tar.gz
---

diff --git a/dnsinfo/dnsinfo_copy.c b/dnsinfo/dnsinfo_copy.c
index bd494f3..004be20 100644
--- a/dnsinfo/dnsinfo_copy.c
+++ b/dnsinfo/dnsinfo_copy.c
@@ -2,14 +2,14 @@
  * Copyright (c) 2004, 2006, 2008-2013, 2015 Apple Inc. All rights reserved.
  *
  * @APPLE_LICENSE_HEADER_START@
- * 
+ *
  * This file contains Original Code and/or Modifications of Original Code
  * as defined in and that are subject to the Apple Public Source License
  * Version 2.0 (the 'License'). You may not use this file except in
  * compliance with the License. Please obtain a copy of the License at
  * http://www.opensource.apple.com/apsl/ and read it before using this
  * file.
- * 
+ *
  * The Original Code and all software distributed under the License are
  * distributed on an 'AS IS' basis, WITHOUT WARRANTY OF ANY KIND, EITHER
  * EXPRESS OR IMPLIED, AND APPLE HEREBY DISCLAIMS ALL SUCH WARRANTIES,
@@ -17,7 +17,7 @@
  * FITNESS FOR A PARTICULAR PURPOSE, QUIET ENJOYMENT OR NON-INFRINGEMENT.
  * Please see the License for the specific language governing rights and
  * limitations under the License.
- * 
+ *
  * @APPLE_LICENSE_HEADER_END@
  */
 
@@ -79,6 +79,7 @@ dns_config_t *
 dns_configuration_copy()
 {
 	uint8_t			*buf		= NULL;
+	size_t			bufLen;
 	dns_config_t		*config		= NULL;
 	static const char	*proc_name	= NULL;
 	xpc_object_t		reqdict;
@@ -90,13 +91,15 @@ dns_configuration_copy()
 			static const char	*service_name	= DNSINFO_SERVICE_NAME;
 
 			dispatch_once(&once, ^{
+#if	DEBUG
 				const char	*name;
 
 				// get [XPC] service name
 				name = getenv(service_name);
-				if ((name != NULL) && (issetugid() == 0)) {
+				if (name != NULL) {
 					service_name = strdup(name);
 				}
+#endif	// DEBUG
 
 				// get process name
 				proc_name = getprogname();
@@ -140,16 +143,43 @@ dns_configuration_copy()
 		if ((dataRef != NULL) &&
 		    ((dataLen >= sizeof(_dns_config_buf_t)) && (dataLen <= DNS_CONFIG_BUF_MAX))) {
 			_dns_config_buf_t       *config         = (_dns_config_buf_t *)(void *)dataRef;
-			uint32_t                n_padding       = ntohl(config->n_padding);
-
-			if (n_padding <= (DNS_CONFIG_BUF_MAX - dataLen)) {
-				size_t        len;
-
-				len = dataLen + n_padding;
-				buf = malloc(len);
-				bcopy((void *)dataRef, buf, dataLen);
-				bzero(&buf[dataLen], n_padding);
-			}
+			size_t			configLen;
+			uint32_t                n_attribute	= ntohl(config->n_attribute);
+			uint32_t		n_padding       = ntohl(config->n_padding);
+
+			/*
+			 * Check that the size of the configuration header plus the size of the
+			 * attribute data matches the size of the configuration buffer.
+			 *
+			 * If the sizes are different, something that should NEVER happen, CRASH!
+			 */
+			configLen = sizeof(_dns_config_buf_t) + n_attribute;
+			assert(configLen == dataLen);
+
+			/*
+			 * Check that the size of the requested padding would not result in our
+			 * allocating a configuration + padding buffer larger than our maximum size.
+			 *
+			 * If the requested padding size is too large, something that should NEVER
+			 * happen, CRASH!
+			 */
+			assert(n_padding <= (DNS_CONFIG_BUF_MAX - dataLen));
+
+			/*
+			 * Check that the actual size of the configuration data and any requested
+			 * padding will be less than the maximum possible size of the in-memory
+			 * configuration buffer.
+			 *
+			 * If the length needed is too large, something that should NEVER happen, CRASH!
+			 */
+			bufLen = dataLen + n_padding;
+			assert(bufLen <= DNS_CONFIG_BUF_MAX);
+
+			// allocate a buffer large enough to hold both the configuration
+			// data and the padding.
+			buf = malloc(bufLen);
+			bcopy((void *)dataRef, buf, dataLen);
+			bzero(&buf[dataLen], n_padding);
 		}
 
 		xpc_release(reply);
diff --git a/dnsinfo/dnsinfo_internal.h b/dnsinfo/dnsinfo_internal.h
index 3d695f1..1359cde 100644
--- a/dnsinfo/dnsinfo_internal.h
+++ b/dnsinfo/dnsinfo_internal.h
@@ -93,10 +93,10 @@ _dns_configuration_expand_resolver(_dns_resolver_buf_t *buf, uint32_t n_buf, voi
 
 	resolver->n_nameserver = ntohl(resolver->n_nameserver);
 	if (!__dns_configuration_expand_add_list(padding,
-		      n_padding,
-		      resolver->n_nameserver,
-		      sizeof(DNS_PTR(struct sockaddr *, x)),
-		      (void **)&resolver->nameserver)) {
+						 n_padding,
+						 resolver->n_nameserver,
+						 sizeof(DNS_PTR(struct sockaddr *, x)),
+						 (void **)&resolver->nameserver)) {
 		goto error;
 	}
 
@@ -108,10 +108,10 @@ _dns_configuration_expand_resolver(_dns_resolver_buf_t *buf, uint32_t n_buf, voi
 
 	resolver->n_search = ntohl(resolver->n_search);
 	if (!__dns_configuration_expand_add_list(padding,
-		      n_padding,
-		      resolver->n_search,
-		      sizeof(DNS_PTR(char *, x)),
-		      (void **)&resolver->search)) {
+						 n_padding,
+						 resolver->n_search,
+						 sizeof(DNS_PTR(char *, x)),
+						 (void **)&resolver->search)) {
 		goto error;
 	}
 
@@ -119,10 +119,10 @@ _dns_configuration_expand_resolver(_dns_resolver_buf_t *buf, uint32_t n_buf, voi
 
 	resolver->n_sortaddr = ntohl(resolver->n_sortaddr);
 	if (!__dns_configuration_expand_add_list(padding,
-		      n_padding,
-		      resolver->n_sortaddr,
-		      sizeof(DNS_PTR(dns_sortaddr_t *, x)),
-		      (void **)&resolver->sortaddr)) {
+						 n_padding,
+						 resolver->n_sortaddr,
+						 sizeof(DNS_PTR(dns_sortaddr_t *, x)),
+						 (void **)&resolver->sortaddr)) {
 		goto error;
 	}
 
@@ -237,44 +237,45 @@ _dns_configuration_expand_config(_dns_config_buf_t *buf)
 	int32_t			n_service_specific_resolver	= 0;
 	void			*padding;
 
-	// establish padding
+	n_attribute = ntohl(buf->n_attribute);	// pre-validated (or known OK) at entry
+	n_padding   = ntohl(buf->n_padding);	// pre-validated (or known OK) at entry
 
-	padding   = &buf->attribute[ntohl(buf->n_attribute)];
-	n_padding = ntohl(buf->n_padding);
+	// establish the start of padding to be after the last attribute
+
+	padding = &buf->attribute[n_attribute];
 
 	// initialize resolver lists
 
 	config->n_resolver = ntohl(config->n_resolver);
 	if (!__dns_configuration_expand_add_list(&padding,
-		      &n_padding,
-		      config->n_resolver,
-		      sizeof(DNS_PTR(dns_resolver_t *, x)),
-		      (void **)&config->resolver)) {
+						 &n_padding,
+						 config->n_resolver,
+						 sizeof(DNS_PTR(dns_resolver_t *, x)),
+						 (void **)&config->resolver)) {
 		goto error;
 	}
 
 	config->n_scoped_resolver = ntohl(config->n_scoped_resolver);
 	if (!__dns_configuration_expand_add_list(&padding,
-		      &n_padding,
-		      config->n_scoped_resolver,
-		      sizeof(DNS_PTR(dns_resolver_t *, x)),
-		      (void **)&config->scoped_resolver)) {
+						 &n_padding,
+						 config->n_scoped_resolver,
+						 sizeof(DNS_PTR(dns_resolver_t *, x)),
+						 (void **)&config->scoped_resolver)) {
 		goto error;
 	}
 
 	config->n_service_specific_resolver = ntohl(config->n_service_specific_resolver);
 	if (!__dns_configuration_expand_add_list(&padding,
-		      &n_padding,
-		      config->n_service_specific_resolver,
-		      sizeof(DNS_PTR(dns_resolver_t *, x)),
-		      (void **)&config->service_specific_resolver)) {
+						 &n_padding,
+						 config->n_service_specific_resolver,
+						 sizeof(DNS_PTR(dns_resolver_t *, x)),
+						 (void **)&config->service_specific_resolver)) {
 		goto error;
 	}
 
 	// process configuration buffer "attribute" data
 
-	n_attribute = ntohl(buf->n_attribute);
-	attribute   = (dns_attribute_t *)(void *)&buf->attribute[0];
+	attribute = (dns_attribute_t *)(void *)&buf->attribute[0];
 
 	while (n_attribute >= sizeof(dns_attribute_t)) {
 		uint32_t	attribute_length	= ntohl(attribute->length);