about summary refs log tree commit diff
path: root/src
Commit message (Collapse)AuthorAgeFilesLines
* mntent: unescape octal sequencesq662023-11-161-4/+40
| | | | | | As entries in mtab are delimited by spaces, whitespace characters are escaped as octal sequences. When reading them out, we have to unescape these sequences to get the proper string.
* ldso: convert TLSDESC_BACKWARDS from "#ifdef" to "if" logicRich Felker2023-11-061-0/+4
| | | | | this style is preferred because it allows the code to be compile-checked even on archs where it is not used.
* byte-based printf family: emit a nul byte for %lc with argument zeroRich Felker2023-11-061-0/+2
| | | | | | | | this is contrary to the spec as written, which requires %lc to behave as if it were %ls on a 2-wchar_t buffer containing the argument and zero. however, apparently no other implementations conform to the spec as written, and in response to Austin Group issue #1647, WG14 chose to align with existing practice and have %lc produce output for this case.
* remove arbitrary limit from dns result parsingQuentin Rameau2023-11-061-1/+0
| | | | | | | | | | The name resolution would abort when getting more than 63 records per request, due to what seems to be a left-over from the original code. This check was non-breaking but spurious prior to TCP fallback support, since any 512-byte packet with more than 63 records was necessarily malformed. But now, it wrongly rejects valid results. Reported by Daniel Stefanik in Alpine Linux aports issue 15320.
* pass AT_NO_AUTOMOUNT when emulating fstatat via statxAlexey Izbyshev2023-11-061-0/+1
| | | | | | | | | | | AT_NO_AUTOMOUNT is implied for stat/lstat/fstatat syscalls since Linux 3.1 (commit b6c8069d3577481390b3f24a8434ad72a3235594). However, this is not the case for statx syscall, which defaults to automounting, so this flag must be passed explicitly when statx is used to implement stat-like functions. This change affects only arches which use 32-bit seconds in struct kstat, as well as out-of-tree/future ports to arches which lack SYS_fstatat.
* __year_to_secs: fix dangling pointerAlex Xu (Hello71)2023-11-061-2/+2
| | | | | The lifetime of the compound literal ends after the "if" statement's implicit block. gcc also warns about this.
* timer_create: volatile static -> static volatileAlex Xu (Hello71)2023-11-061-1/+1
| | | | | | | | | | C11 6.11.5p1: > The placement of a storage-class specifier other than at the > beginning of the declaration specifiers in a declaration is an > obsolescent feature. gcc also warns about this.
* ensure valid setxid return value in an unexpected error caseMarkus Wichmann2023-11-061-1/+1
| | | | | | | | | | | | If __synccall() fails to capture all threads because tkill fails for some reason other than EAGAIN, then the callback given will never be executed, so nothing will ever overwrite the initial value. So that is the value that will be returned from the function. The previous setting of 1 is not a valid value for setuid() et al. to return. I chose -EAGAIN since I don't know the reason the synccall failed ahead of time, but EAGAIN is a specified error code for a possibly temporary failure in setuid().
* synccall: add separate exit_sem to fix thread release logic bugMarkus Wichmann2023-11-061-3/+5
| | | | | | | | | | | | | | | | | The code intends for the sem_post() in line 97 (now 98) to only unblock target threads waiting on line 29. But after the first thread is released, the next sem_post() might also unblock a thread waiting on line 36. That would cause the thread to return to the execution of user code before all threads are done, leading to user code being executed in a mixed-credentials environment. What's more, if this happens more than once, then the mass release on line 110 (now line 111) will cause multiple threads to execute the callback at the same time, and the callbacks are currently not written to cope with that situation. Adding another semaphore allows the caller to say explicitly which threads it wants to release.
* glob: fix wrong return code when aborting before any matchesRich Felker2023-08-241-1/+1
| | | | | | | | | | when the result count was zero, glob was ignoring a possible GLOB_ABORTED error code and returning GLOB_NOMATCH. whether this happened could be nondeterministic and dependent on the order of dirent enumeration, in cases where multiple matches were present and only some produced errors. caught by Tor's test_util_glob.
* statvfs: allocate spare for f_typeнаб2023-08-191-0/+1
| | | | | | | | | | | | | | | | | | | | This is the only missing part in struct statvfs. The LSB calls [f]statfs() deprecated, and its weird types are definitely off-putting. However, its use is required to get f_type. Instead, allocate one of the six spares to f_type, copied directly from struct statfs. This then becomes a small extension to the standard interface on Linux, instead of two different interfaces, one of which is quite odd due to being an ABI type, and there no longer is any reason to use statfs(). The underlying kernel type is a mess, but all architectures agree on u32 (or more) for the ABI, and all filesystem magicks are 32-bit integers. Since commit 6567db65f495cf7c11f5c1e60a3e54543d5a69bc (prior to 1.0.0), the spare slots have been zero-filled, so on all versions that may be reasonably be encountered in the wild, applications can rely on a nonzero f_type as indication that the new field has been filled in.
* math: fix ld80 powl(x,huge) and powl(LDBL_MAX,small)Szabolcs Nagy2023-08-191-13/+21
| | | | | | | | | | | | | | powl used >= LDBL_MAX as infinity check, but LDBL_MAX is finite, so this can cause wrong results e.g. powl(LDBL_MAX, 0.5) returned inf or powl(2, LDBL_MAX) returned inf without raising overflow. huge y values (close to LDBL_MAX) could cause intermediate results to overflow (computing y * log2(x) with more than long double precision) and e.g. powl(0.5, 0x1p16380L) or powl(10, 0x1p16380L) returned nan. this is fixed by handling huge y early since that always overflows or underflows. reported by Paul Zimmermann against expl10 (which uses powl).
* math: fix ld80 acoshl(x) for x < 0Szabolcs Nagy2023-08-191-3/+7
| | | | | | | | | | | | acosh(x) is nan for x < 1, but x < 0 cases were not handled specially and acoshl gave wrong result for some -0x1p32 < x < -2 values, e.g.: acoshl(-0x1p20) returned -inf, acoshl(-0x1.4p20) returned -0x1.db365758403aa9acp+0L, fixed by checking the sign bit and handling it specially. reported by Paul Zimmermann.
* fix rejection of dns responses with pointers past 512 byte offsetRich Felker2023-07-171-2/+2
| | | | | | | | | | | | the __dns_parse code used by the stub resolver traditionally included code to reject label pointers to offsets past a 512 byte limit, despite never processing the label contents, only stepping over them. when commit 51d4669fb97782f6a66606da852b5afd49a08001 added support for tcp fallback, this limit was overlooked, and as a result, it was at least theoretically possible for some valid large answers to be rejected on account of these offsets. since the limit was never serving any useful purpose, just remove it.
* dns stub resolver: increase buffer size to handle chained CNAMEsRich Felker2023-07-041-1/+1
| | | | | | | | | | | | | | | | | | | | | | | | | in the event of chained CNAMEs, the answer to a query will contain the entire CNAME chain, not just one CNAME record. previously, the answer buffer size had been chosen to admit a maximal-length CNAME, but only one. a moderate-length chain could fill the available 768 bytes leaving no room for an actual address answering the query. while the DNS RFCs do not specify any limit on the length of a CNAME chain, or any reasonable behavior is the chain exceeds the entire 64k possible message size, actual recursive servers have to impose a limit, and a such, for all practical purposes, chains longer than this limit are not usable. it turns out BIND has a hard-coded limit of 16, and Unbound has a default limit of 11. assuming the recursive server makes use of "compression" (pointers), each maximal-length CNAME record takes at most 268 bytes, and thus any chain up to length 16 fits in at most 4288 bytes. this patch increases the answer buffer size to preserve the original intent of having 512 bytes available for address answers, plus space needed for a maximal CNAME chain, for a total of 4800 bytes. the resulting size of 9600 bytes for two queries (A+AAAA) is still well within what is reasonable to place in automatic storage.
* printf core: fix gratuitous integer formatting buffer sizeRich Felker2023-06-121-1/+1
| | | | | | | | | | | the extra terms 3 and LDBL_MANT_DIG/4 are remnants of a proto-musl implementation of printf where the sign/prefix and floating point conversions were performed naively into this buffer. having them there obscures the actual intended buffer size (sufficient to hold between 2 and 3 octal digits per byte, rounded up to 3 for simplicity) and interferes with upcoming work to add C2x binary formats which would otherwise be stuck having to explain a similar fix to buffer size as part of an unrelated change.
* all printf variants: fix argument type handling for %c and %lcRich Felker2023-06-122-4/+4
| | | | | | | | | | | | | | | | %c takes an argument of type int, not char, and %lc/%C takes an argument of type wint_t (unsigned), not int. for most cases, this makes no practical difference, but since wide printf variants convert narrow %c format specifiers via btowc, interpreting the promoted-to-int unsigned char value passed in as a (signed, on most archs) char causes 255 to get collapsed to EOF and interpreted as such by btowc. this is only relevant in the byte-based C locale, so prior to commit f22a9edaf8a6f2ca1d314d18b3785558279a5c03, there was no observable distinction in behavior. for UTF-8, all bytes which might be negative when interpreted as char are encoding errors when used with %c/btowc.
* fix public clone function to be safe and usable by applicationsRich Felker2023-06-013-16/+68
| | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | the clone() function has been effectively unusable since it was added, due to producing a child process with inconsistent state. in particular, the child process's thread structure still contains the tid, thread list pointers, thread count, and robust list for the parent. this will cause malfunction in interfaces that attempt to use the tid or thread list, some of which are specified to be async-signal-safe. this patch attempts to make clone() consistent in a _Fork-like sense. as in _Fork, when the parent process is multi-threaded, the child process inherits an async-signal context where it cannot call AS-unsafe functions, but its context is now intended to be safe for calling AS-safe functions. making clone fork-like would also be a future option, if it turns out that this is what makes sense to applications, but it's not done at this time because the changes would be more invasive. in the case where the CLONE_VM flag is used, clone is only vfork-like, not _Fork-like. in particular, the child will see itself as having the parent's tid, and cannot safely call any libc functions but one of the exec family or _exit. handling of flags and variadic arguments is also changed so that arguments are only consumed with flags that indicate their presence, and so that flags which produce an inconsistent state are disallowed (reported as EINVAL). in particular, all libc functions carry a contract that they are only callable with ABI requirements met, which includes having a valid thread pointer to a thread structure that's unique within the process, and whose contents are opaque and only able to be setup internally by the implementation. the only way for an application to use flags that violate these requirements without executing any libc code is to perform the syscall from application-provided asm.
* fix broken thread list unlocking after forkRich Felker2023-06-011-1/+1
| | | | | | | | | | | apparently Linux clears the registered exit futex address on fork. this means that, if after forking the child process becomes multithreaded and the original thread exits, the thread list will never be unlocked, and future attempts to use the thread list will deadlock. re-register the exit futex address after _Fork in the child to ensure that it's preserved.
* mbrtowc: Fix wrong return value when n > UINT_MAXAlexey Izbyshev2023-05-261-1/+1
| | | | | | mbrtowc truncates n to unsigned int when storing its copy. If n > UINT_MAX and the locale is not POSIX, the function will return a wrong value greater than UINT_MAX on the success path.
* fix return value of wmemcmp for extreme wchar_t valuesRich Felker2023-04-241-1/+1
| | | | | analogous to the bug in wcscmp and wcsncmp that was fixed in commit 07616721f1fa6cb215ffbef23441cae80412484f.
* fix wide printf numbered argument buffer overflowGabriel Ravier2023-04-141-2/+2
| | | | | | | The nl_type and nl_arg arrays defined in vfwprintf may be accessed with an index up to and including NL_ARGMAX, but they are only of size NL_ARGMAX, meaning they may be written to or read from 1 element too far.
* wait4: fix missing rusage on x32 due to wrong success conditionAlexey Izbyshev2023-04-111-1/+1
| | | | | | | | Resource usage data is filled by the kernel only when wait4 returns a pid, i.e. a positive value. Commit 5850546e9669f793aab61dfc7c4f2c1ff35c4b29 introduced this bug, possibly because of copy-pasting from getrusage.
* semtimedop: fix timespec kernel ABI mismatch for 32-bit timeouts on x32Alexey Izbyshev2023-04-111-1/+2
| | | | | | | | | | | | | | | | | | | | | | | For time64 support, musl normally defines SYS_foo to the time32 variant of that syscall on arches that have it, and to the time64 variant otherwise, so that "SYS_foo == SYS_foo_time64" implies that the arch is time64-only. However, SYS_semtimedop is an odd case: some arches define only SYS_semtimedop_time64, yet they are not time64-only, because the time32 variant is provided via SYS_ipc instead. For such arches, defining SYS_semtimedop to SYS_semtimedop_time64 would break the implication above, so commit 4bbd7baea7c8538b3fb8e30f7b022a1eee071450 doesn't do this. Commit eb2e298cdc814493a6ced8c05cf0d0f5cccc8b63 attempts to detect time64-only arches by checking that both SYS_semtimedop and SYS_ipc are undefined, but this doesn't work for x32, because it's a time64-only arch that does define SYS_semtimedop. As a result, 32-bit timeouts trigger the fallback path that passes a 32-bit timespec to the kernel while it expects a 64-bit one, so the effective tv_sec is formed by interpreting 32-bit tv_sec and tv_nsec as a single long long, and the effective tv_nsec is whatever is located in the next 64 bits of the stack. Fix this by expanding the time64-only check to include arches where SYS_semtimedop is the time64 variant of the syscall.
* getopt: fix null pointer arithmetic ubAlexey Izbyshev2023-04-111-1/+2
| | | | | | | When an option that requires an argument is the last character of argv[argc-1], getopt computes argv[argc] + optpos. While optpos is always zero in this case, adding it to null pointer is still undefined.
* nftw: fix use of uninitialized struct statAlexey Izbyshev2023-04-111-1/+3
| | | | | | | | | | | | | | | | | If lstat/stat fails with EACCES, st is left uninitialized, but its st_dev/st_ino fields are then used in several places: * for FTW_MOUNT check (in practice typically results in a false positive and an early return) * for copying to the new struct history (though the struct is not used afterwards since we don't recurse in this case) * for cycle detection check (could theoretically result in a false positive and an early return) To avoid adding FTW_NS checks to all these places, fix this by zero-initializing st_dev/st_ino (which can never match an existing dentry due to zero inode being reserved in Linux), and check for FTW_NS only when handling FTW_MOUNT since we need two valid dentries there.
* dns: check length field in tcp response messageAlexey Kodanev2023-04-071-0/+1
| | | | | | | | | The received length field in the message may be greater than the size of the 'answer' buffer in which the message resides. Currently, ABUF_SIZE is 768. And if we get a larger 'alens[i]', it will result in an out-of-bounds reading in __dns_parse(). To fix this, limit the length to the size of the received buffer.
* fix swprintf handling of nul character in outputRich Felker2023-03-221-0/+1
| | | | | | | the buffer-flush function did not account for mbtowc returning 0 rather than 1 when converting the nul character. this prevented advancing past it, instead repeatedly converting it into the output wide character string until the max output length was exhausted.
* in printf, use ferror macro rather than directly inspecting flags bitRich Felker2023-03-211-2/+2
| | | | | this is purely aesthetic and should not affect code generation or functionality.
* remove wide printf dependency on ugly hack in vfprintfRich Felker2023-03-212-9/+15
| | | | | | | | | | | | | | | | | | | | | | | | | commit d42269d7c85308abdbf8cee38b1a1097249eb38b appropriated the stream error flag temporarily to let the printf family of functions suppress further output attempts after encountering a write error. since the wide printf code relies on (narrow) vfprintf to print padding and numeric conversions, a hack was put in vfprintf not to clear the initial error status unless the stream is narrow oriented. this was okay, because calling vfprintf on a wide-oriented stream (outside of internal use by the implementation) produces undefined behavior. however, it was highly non-obvious to anyone reading the wide printf code, where the calls to fprintf without first checking for error status appeared erroneous. this patch removes all direct use of fprintf from the wide printf core, except in the numeric conversions case where it was already checked before starting processing of the directive that the error status is not set. the other calls, which were performing padding, are replaced by a new pad() helper function, which performs the check and abstracts out the mechanism of writing the padding. direct use of the error flag is also replaced by ferror, which is defined as a macro in stdio_impl.h, expanding directly to the flag check with no call or locking overhead.
* fix (normal, narrow) printf erroneously processing %n after output errorsRich Felker2023-03-211-0/+3
| | | | | | | | | | | | | | | unlike with wide printf variants, encoding errors are not a vector by which this bug is reachable, and the out() helper function already ensured that no further output could be written after an output error, transient or otherwise. however, the %n specifier could still be processed after an error, yielding a side effect that wrongly implied output had succeeded. due to buffering effects, it's still possible for %n to show output as having "succeeded", but for it never to appear on the underlying file due to an error at flush time. this change, however, ensures that processing of %n does not conflict with any error which has already been seen.
* fix wide printf continuation after output or encoding errorsRich Felker2023-03-211-2/+6
| | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | this fixes a broader bug for which a special case was reported by Bruno Haible, in the form of %n getting processed (and reporting the number of wide characters which would have been written, but weren't) after an encoding error (EILSEQ). in addition to the %n case, some but not all of the format specifiers continued to attempt output after an error. in particular, %c, %lc, and %s all used fputwc directly without any check for error status. as long as the error condition was permanent rather than transient, these write attempts had no visible side effects, but in theory it could be visible, for example with EAGAIN/EWOULDBLOCK or ENOSPC, if the condition precluding output came to an end. this could produce output with missing non-final data, rather than just truncated output, albeit with the function still returning -1 as expected to report an error. to fix this, a check is added to stop processing of any new directive (including %n) if the stream is already in error state, and direct use of fputwc is replaced with calls to the out() helper function, which checks for error status. note that fprintf is also used directly without checking error status, but due to how commit d42269d7c85308abdbf8cee38b1a1097249eb38b previously attempted to solve the issue of output after error, the call to fprintf does not attempt to write anything when the wide-oriented stream is already in error state. this is non-obvious, and is quite a hack, so it should be changed, but I've left it alone for now to make the bug fix commit itself as non-invasive as possible.
* fix wide printf forms ignoring width for %lc format specifierRich Felker2023-03-201-5/+2
| | | | | since the code path for %c was already doing it right, and the logic is identical, condense them into a single case.
* poll: fix misuse of timespec type on 32-bit archs without poll syscallRich Felker2023-03-031-2/+7
| | | | | | | | | | | | | | | | | | | | | | | | | | this function was overlooked during the time64 transition, probably as a result of not having any time-related types in its application-side interface. however, for archs that lack the traditional poll syscall and have only ppoll, it used timespec as part of its interface with the kernel: the millisecond timeout was converted to a timespec to pass to SYS_ppoll. this is a type/ABI mismatch on 32-bit archs with legacy time32 syscalls. only one supported arch, or1k, is affected. all of the others either have SYS_poll, or are 64-bit. rather than using timespec, define a type locally to match what the kernel expects. the condition (SYS_ppoll_time64 == SYS_ppoll), comparable to conditions used elsewhere in timespec-handling code, evaluates true for "natively time64" 32-bit archs including x32, future riscv32, and all future 32-bit archs (via definitions in internal syscall.h). otherwise, the arch is either 64-bit or has syscalls that take the legacy type, and in either case "long" is correct. this fix is based on bug report and proposal by Alexey Izbyshev but with a different approach to the changes to minimize the contextual knowledge needed for a reader to understand the source file.
* select: fix 64-bit timeout truncation on pre-time64 kernelsAlexey Izbyshev2023-03-021-0/+1
| | | | | | | | | | | If the (normalized) timeout passed to select exceeds INT_MAX seconds on an arch with SYS_pselect6_time64 and the kernel is too old to support time64 syscalls, the timeout is implicitly converted to (32-bit) long on the fallback path, losing its upper 32 bits and potentially becoming a small positive value, violating the intended semantics, or even a negative value, causing the fallback syscall failure. Fix this by saturating the timeout at INT_MAX as done in other time64 fallback cases.
* dup3: don't set FD_CLOEXEC on failure on kernels without dup3 syscallRich Felker2023-02-281-1/+2
| | | | | | | | this is the best-effort fallback path for kernels that can't actually support the dup3 functionality. it was setting FD_CLOEXEC flag on the target fd (new) even if the dup2 operation failed. normally that shouldn't happen under correct usage, but it's possible if the source fd is not open or intentionally invalid (e.g. -1).
* fix dup3 ignoring all flags but O_CLOEXEC on archs with SYS_dup2 syscallRich Felker2023-02-281-1/+2
| | | | | | | | | | | | | our dup3 code wrongly skipped directly to making the SYS_dup2 syscall whenever the O_CLOEXEC bit of flags was not set. this is incorrect if any new flags are ever added, as it would silently ignore them rather than failing with an error. archs which lack SYS_dup2 were unaffected. adjust the logic so that SYS_dup3 is attempted whenever flags is nonzero, and explicitly fail with EINVAL if SYS_dup3 is unavailable and there are any unknown flags.
* fix pipe2 silently ignoring unknown flags on old kernelsRich Felker2023-02-281-0/+1
| | | | | | | kernels using the fallback have an inherent close-on-exec race condition and as such support for them is only best-effort anyway. however, ignoring potential new flags is still very bad behavior. instead, fail with EINVAL.
* getservbyport_r: fix wrong result if getnameinfo fails with EAI_OVERFLOWAlexey Izbyshev2023-02-281-0/+2
| | | | | EAI_OVERFLOW should be propagated as ERANGE to inform the caller about the need to expand the buffer.
* getservbyport_r: fix out-of-bounds buffer readAlexey Izbyshev2023-02-281-1/+1
| | | | | | | | | | | | If the buffer passed to getservbyport_r is just enough to store two pointers after aligning it, getnameinfo is called with buflen == 0 (which means that service name is not needed) and trivially succeeds. Then, strtol is called on the address just past the buffer end, and if it doesn't happen to find the port number there, getservbyport_r spuriously succeeds and returns the same bad address to the caller. Fix this by ensuring that buflen is at least 1 when passed to getnameinfo.
* getifaddrs: fix UB via taking address of null pointer union dereferenceAlexey Izbyshev2023-02-281-7/+7
| | | | | | | | getifaddrs computes &ctx->first->ifa even if ctx->first is NULL. While this shouldn't be possible on the success path because the loopback interface is hardcoded into the kernel, this is still possible on the error path (for example, if __rtnetlink_enumerate couldn't create a socket due to exceeding the fd limit).
* accept4: don't fall back to accept if we got unknown flagsAlexey Izbyshev2023-02-281-0/+4
| | | | | | | | | | | | accept4 emulation via accept ignores unknown flags, so it can spuriously succeed instead of failing (or succeed without doing the action implied by an unknown flag if it's added in a future kernel). Worse, unknown flags trigger the fallback code even on modern kernels if the real accept4 syscall returns EINVAL, because this is indistinguishable from socketcall returning EINVAL due to lack of accept4 support. Fix this by always failing with EINVAL if unknown flags are present and the syscall is missing or failed with EINVAL.
* fix potential read past end of buffer in getnameinfo host name lookupAlexey Izbyshev2023-02-271-0/+1
| | | | | | | This is completely analoguous to commit 633183b5d1c2. Similar code called from __lookup_name is not affected because it checks that the line contains the host name surrounded by blanks.
* dns: fix workaround for systems defaulting to ipv6-only socketsAlexey Izbyshev2023-02-271-15/+16
| | | | | | | | When IPv6 nameservers are present, __res_msend_rc attempts to disable IPV6_V6ONLY socket option to ensure that it can communicate with IPv4 nameservers (if they are present too) via IPv4-mapped IPv6 addresses. However, this option can't be disabled on bound sockets, so setsockopt always fails.
* dns: handle early eof in tcp fallbackAlexey Izbyshev2023-02-271-1/+1
| | | | | | | | A zero returned from recvmsg is currently treated as if some data were received, so if a DNS server closes its TCP socket before sending the full answer, __res_msend_rc will spin until the timeout elapses because POLLIN event will be reported on each poll. Fix this by treating an early EOF as an error.
* prevent CNAME/PTR parsing from reading data past the response endAlexey Izbyshev2023-02-274-7/+7
| | | | | | | | DNS parsing callbacks pass the response buffer end instead of the actual response end to dn_expand, so a malformed DNS response can use message compression to make dn_expand jump past the response end and attempt to parse uninitialized parts of that buffer, which might succeed and return garbage.
* fix out-of-bounds reads in __dns_parseAlexey Izbyshev2023-02-271-3/+3
| | | | | | | | | | | | | | | | | | | | | | | There are several issues with range checks in this function: * The question section parsing loop can read up to two out-of-bounds bytes before doing the range check and bailing out. * The answer section parsing loop, in addition to the same issue as above, uses the wrong length in the range check that doesn't prevent OOB reads when computing len later. * The len range check before calling the callback is off by 10. Also, p+len can overflow in a (probably theoretical) case when p is within 2^16 from UINTPTR_MAX. Because __dns_parse is used only with stack-allocated buffers, such small overreads can't result in a segfault. The first two also don't affect the function result, but the last one may result in getaddrinfo incorrectly succeeding and returning up to 10 bytes past the response buffer as a part of the IP address, and in (canon) name returned by getaddrinfo/getnameinfo being affected by memory past the response buffer (because dn_expand might interpret it as a pointer).
* dns: prefer monotonic clock for timeoutsA. Wilcox2023-02-121-1/+2
| | | | | | | | | Before this commit, DNS timeouts always used CLOCK_REALTIME, which could produce spurious timeouts or delays if wall time changed for whatever reason. Now we try CLOCK_MONOTONIC and only fall back to CLOCK_REALTIME when it is unavailable.
* fix return value of wcs{,n}cmp for extreme wchar_t valuesGabriel Ravier2023-02-122-2/+2
| | | | | | | | | | | | | | As a result of using simple subtraction to implement the return values for wcscmp and wcsncmp, integer overflow can occur (producing undefined behavior, and in practice, a wrong comparison result). This does not occur for meaningful character values (21-bit range) but the functions are specified to work on arbitrary wchar_t arrays. This patch replaces the subtraction with a little bit of code that orders the characters correctly, returning -1 if the character from the first string is smaller than the one from the second, 0 if they are equal and 1 if the character from the first string is larger than the one from the second.
* math: fix undefined shift in logfSzabolcs Nagy2023-02-121-1/+1
| | | | | | | | A signed int shift overflowed when computing a constant mask, use hex literal instead. This is unlikely to cause actual issues unless the code was compiled with ubsan or similar instrumentation specifically to catch this. The stripped libc.so is unchanged on x86_64. Reported by q66 on irc.