Thank you for the submission of the updated res_query.c. A diff or patch would have been easier to read.
The submitted change ensures that the 'answer' buffer allocated on the stack within do_res_search() is not written beyond its length but it does so by breaking the semantics of res_search(). If the required buffer length is larger than the provided answer buffer len, res_search is supposed to return as much of the answer as possible and return the required length. This permits the caller of res_search to allocate a larger buffer and retry. The krb5 counts on this behavior. The real problem is in build_rr() which is unaware of the remaining space in the buffer pointed to by 'cp'. When the buffer fills, instead of counting the required bytes, it blindly continues to copy data in. _______________________________________________ kfwdev mailing list kfwdev@mit.edu http://mailman.mit.edu/mailman/listinfo/kfwdev
