[WS2_32]

- Do not manually allocate an incompatible hostent structure in FindEntryInHosts. Use populate_hostent instead. Fixes buffer overflow in name resolution.
See issue #7126 for more details.

svn path=/trunk/; revision=56756

diff --git a/reactos/dll/win32/ws2_32/include/ws2_32.h b/reactos/dll/win32/ws2_32/include/ws2_32.h
index cc72137..075c9be 100644 (file)
--- a/reactos/dll/win32/ws2_32/include/ws2_32.h
+++ b/reactos/dll/win32/ws2_32/include/ws2_32.h
@@ -76,7 +76,7 @@ typedef struct _WINSOCK_THREAD_BLOCK
 
 /* ws2_32 internal Functions */
 void check_hostent(struct hostent **he);
-void populate_hostent(struct hostent *he, char* name, DNS_A_DATA addr);
+void populate_hostent(struct hostent *he, char* name, IP4_ADDRESS addr);
 void free_hostent(struct hostent *he);
 void free_servent(struct servent* s);
 

diff --git a/reactos/dll/win32/ws2_32/misc/ns.c b/reactos/dll/win32/ws2_32/misc/ns.c
index e2b3e0f..01a43ae 100644 (file)
--- a/reactos/dll/win32/ws2_32/misc/ns.c
+++ b/reactos/dll/win32/ws2_32/misc/ns.c
@@ -529,7 +529,7 @@ void check_hostent(struct hostent **he)
     }
 }
 
-void populate_hostent(struct hostent *he, char* name, DNS_A_DATA addr)
+void populate_hostent(struct hostent *he, char* name, IP4_ADDRESS addr)
 {
     ASSERT(he);
 
@@ -561,8 +561,8 @@ void populate_hostent(struct hostent *he, char* name, DNS_A_DATA addr)
     WS_DbgPrint(MID_TRACE,("he->h_addr_list[0] %x\n", he->h_addr_list[0]));
 
     RtlCopyMemory(he->h_addr_list[0],
-                  &addr.IpAddress,
-                  sizeof(addr.IpAddress));
+                  &addr,
+                  sizeof(addr));
 
     he->h_addr_list[1] = NULL;
 }
@@ -813,51 +813,12 @@ FindEntryInHosts(IN CONST CHAR FAR* name)
         return NULL;
     }
 
-    if( !p->Hostent )
-    {
-        p->Hostent = HeapAlloc(GlobalHeap, 0, sizeof(*p->Hostent));
-        if( !p->Hostent )
-        {
-            WSASetLastError( WSATRY_AGAIN );
-            return NULL;
-        }
-    }
-
-    p->Hostent->h_name = HeapAlloc(GlobalHeap, 0, strlen(DnsName));
-    if( !p->Hostent->h_name )
-    {
-        WSASetLastError( WSATRY_AGAIN );
-        return NULL;
-    }
-
-    RtlCopyMemory(p->Hostent->h_name,
-                  DnsName,
-                  strlen(DnsName));
-
-    p->Hostent->h_aliases = HeapAlloc(GlobalHeap, 0, sizeof(char *));
-    if( !p->Hostent->h_aliases )
-    {
-        WSASetLastError( WSATRY_AGAIN );
-        return NULL;
-    }
-
-    p->Hostent->h_aliases[0] = 0;
-
     if (strstr(AddressStr, ":"))
     {
        DbgPrint("AF_INET6 NOT SUPPORTED!\n");
        WSASetLastError(WSAEINVAL);
        return NULL;
     }
-    else
-       p->Hostent->h_addrtype = AF_INET;
-
-    p->Hostent->h_addr_list = HeapAlloc(GlobalHeap, 0, sizeof(char *));
-    if( !p->Hostent->h_addr_list )
-    {
-        WSASetLastError( WSATRY_AGAIN );
-        return NULL;
-    }
 
     Address = inet_addr(AddressStr);
     if (Address == INADDR_NONE)
@@ -866,18 +827,7 @@ FindEntryInHosts(IN CONST CHAR FAR* name)
         return NULL;
     }
 
-    p->Hostent->h_addr_list[0] = HeapAlloc(GlobalHeap, 0, sizeof(Address));
-    if( !p->Hostent->h_addr_list[0] )
-    {
-        WSASetLastError( WSATRY_AGAIN );
-        return NULL;
-    }
-
-    RtlCopyMemory(p->Hostent->h_addr_list[0],
-                  &Address,
-                  sizeof(Address));
-
-    p->Hostent->h_length = sizeof(Address);
+    populate_hostent(p->Hostent, DnsName, Address);
 
     return p->Hostent;
 }
@@ -996,7 +946,9 @@ gethostbyname(IN  CONST CHAR FAR* name)
             {
                 WS_DbgPrint(MID_TRACE,("populating hostent\n"));
                 WS_DbgPrint(MID_TRACE,("pName is (%s)\n", curr->pName));
-                populate_hostent(p->Hostent, (PCHAR)curr->pName, curr->Data.A);
+                populate_hostent(p->Hostent,
+                                 (PCHAR)curr->pName,
+                                 curr->Data.A.IpAddress);
                 DnsRecordListFree(dp, DnsFreeRecordList);
                 return p->Hostent;
             }