Synopsis: NIS hostname buffer overrun.
NetBSD versions: All
Thanks to: Itojun
Reported in NetBSD Security Advisory: SA2000-012

--- lib/libc/net/gethnamaddr.c 2000/07/07 11:03:38	1.35
+++ lib/libc/net/gethnamaddr.c 2000/07/30 05:44:36	1.36
@@ -1272,14 +1272,14 @@
 	 * XXX: maybe support IPv6 parsing, based on 'af' setting
 	 */
 nextline:
+	/* check for host_addrs overflow */
+	if (buf >= &host_addrs[sizeof(host_addrs) / sizeof(host_addrs[0])])
+		goto done;
+
 	more = 0;
 	cp = strpbrk(p, " \t");
-	if (cp == NULL) {
-		if (host.h_name == NULL)
-			return (NULL);
-		else
-			goto done;
-	}
+	if (cp == NULL)
+		goto done;
 	*cp++ = '\0';
 
 	*hap++ = (char *)(void *)buf;
@@ -1320,6 +1320,8 @@
 			*cp++ = '\0';
 	}
 done:
+	if (host.h_name == NULL)
+		return (NULL);
 	*q = NULL;
 	*hap = NULL;
 	return (&host);