Fix potential heap corruption in "gpg -v --version"
[gnupg.git] / util / srv.c
1 /* srv.c - DNS SRV code
2  * Copyright (C) 2003, 2005, 2006, 2007, 2009 Free Software Foundation, Inc.
3  *
4  * This file is part of GNUPG.
5  *
6  * GNUPG is free software; you can redistribute it and/or modify
7  * it under the terms of the GNU General Public License as published by
8  * the Free Software Foundation; either version 3 of the License, or
9  * (at your option) any later version.
10  *
11  * GNUPG is distributed in the hope that it will be useful,
12  * but WITHOUT ANY WARRANTY; without even the implied warranty of
13  * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
14  * GNU General Public License for more details.
15  *
16  * You should have received a copy of the GNU General Public License
17  * along with this program; if not, see <http://www.gnu.org/licenses/>.
18  */
19
20 #include <config.h>
21 #include <sys/types.h>
22 #ifdef _WIN32
23 #include <windows.h>
24 #else
25 #include <netinet/in.h>
26 #include <arpa/nameser.h>
27 #include <arpa/inet.h>
28 #include <resolv.h>
29 #endif
30 #include <unistd.h>
31 #include <stdlib.h>
32 #include <string.h>
33 #include <time.h>
34 #include "srv.h"
35
36 /* Not every installation has gotten around to supporting SRVs
37    yet... */
38 #ifndef T_SRV
39 # define T_SRV 33
40 # ifdef __VMS
41 #  include "cert_vms.h"
42 # endif /* def __VMS */
43 #endif
44
45 static int
46 priosort(const void *a,const void *b)
47 {
48   const struct srventry *sa=a,*sb=b;
49   if(sa->priority>sb->priority)
50     return 1;
51   else if(sa->priority<sb->priority)
52     return -1;
53   else
54     return 0;
55 }
56
57 int
58 getsrv(const char *name,struct srventry **list)
59 {
60   unsigned char answer[2048];
61   int r,srvcount=0;
62   unsigned char *pt,*emsg;
63   u16 count,dlen;
64   HEADER *header=(HEADER *)answer;
65
66   *list=NULL;
67
68   r=res_query(name,C_IN,T_SRV,answer,2048);
69   if(r<sizeof(HEADER) || r>2048)
70     return -1;
71
72   if(header->rcode==NOERROR && (count=ntohs(header->ancount)))
73     {
74       int i,rc;
75
76       emsg=&answer[r];
77       pt=&answer[sizeof(HEADER)];
78
79       /* Skip over the query */
80
81       rc=dn_skipname(pt,emsg);
82       if(rc==-1)
83         goto fail;
84
85       pt+=rc+QFIXEDSZ;
86
87       while(count-->0 && pt<emsg)
88         {
89           struct srventry *srv=NULL;
90           u16 type,class;
91
92           srv=realloc(*list,(srvcount+1)*sizeof(struct srventry));
93           if(!srv)
94             goto fail;
95
96           *list=srv;
97           memset(&(*list)[srvcount],0,sizeof(struct srventry));
98           srv=&(*list)[srvcount];
99           srvcount++;
100
101           rc=dn_skipname(pt,emsg); /* the name we just queried for */
102           if(rc==-1)
103             goto fail;
104           pt+=rc;
105
106           /* Truncated message? */
107           if((emsg-pt)<16)
108             goto fail;
109
110           type=*pt++ << 8;
111           type|=*pt++;
112           /* We asked for SRV and got something else !? */
113           if(type!=T_SRV)
114             goto fail;
115
116           class=*pt++ << 8;
117           class|=*pt++;
118           /* We asked for IN and got something else !? */
119           if(class!=C_IN)
120             goto fail;
121
122           pt+=4; /* ttl */
123           dlen=*pt++ << 8;
124           dlen|=*pt++;
125           srv->priority=*pt++ << 8;
126           srv->priority|=*pt++;
127           srv->weight=*pt++ << 8;
128           srv->weight|=*pt++;
129           srv->port=*pt++ << 8;
130           srv->port|=*pt++;
131
132           /* Get the name.  2782 doesn't allow name compression, but
133              dn_expand still works to pull the name out of the
134              packet. */
135           rc=dn_expand(answer,emsg,pt,srv->target,MAXDNAME);
136           if(rc==1 && srv->target[0]==0) /* "." */
137             goto noanswer;
138           if(rc==-1)
139             goto fail;
140           pt+=rc;
141           /* Corrupt packet? */
142           if(dlen!=rc+6)
143             goto fail;
144
145 #if 0
146           printf("count=%d\n",srvcount);
147           printf("priority=%d\n",srv->priority);
148           printf("weight=%d\n",srv->weight);
149           printf("port=%d\n",srv->port);
150           printf("target=%s\n",srv->target);
151 #endif
152         }
153
154       /* Now we have an array of all the srv records. */
155
156       /* Order by priority */
157       qsort(*list,srvcount,sizeof(struct srventry),priosort);
158
159       /* For each priority, move the zero-weighted items first. */
160       for(i=0;i<srvcount;i++)
161         {
162           int j;
163
164           for(j=i;j<srvcount && (*list)[i].priority==(*list)[j].priority;j++)
165             {
166               if((*list)[j].weight==0)
167                 {
168                   /* Swap j with i */
169                   if(j!=i)
170                     {
171                       struct srventry temp;
172
173                       memcpy(&temp,&(*list)[j],sizeof(struct srventry));
174                       memcpy(&(*list)[j],&(*list)[i],sizeof(struct srventry));
175                       memcpy(&(*list)[i],&temp,sizeof(struct srventry));
176                     }
177
178                   break;
179                 }
180             }
181         }
182
183       /* Run the RFC-2782 weighting algorithm.  We don't need very
184          high quality randomness for this, so regular libc srand/rand
185          is sufficient. */
186       srand(time(NULL)*getpid());
187
188       for(i=0;i<srvcount;i++)
189         {
190           int j;
191           float prio_count=0,chose;
192
193           for(j=i;j<srvcount && (*list)[i].priority==(*list)[j].priority;j++)
194             {
195               prio_count+=(*list)[j].weight;
196               (*list)[j].run_count=prio_count;
197             }
198
199           chose=prio_count*rand()/RAND_MAX;
200
201           for(j=i;j<srvcount && (*list)[i].priority==(*list)[j].priority;j++)
202             {
203               if(chose<=(*list)[j].run_count)
204                 {
205                   /* Swap j with i */
206                   if(j!=i)
207                     {
208                       struct srventry temp;
209
210                       memcpy(&temp,&(*list)[j],sizeof(struct srventry));
211                       memcpy(&(*list)[j],&(*list)[i],sizeof(struct srventry));
212                       memcpy(&(*list)[i],&temp,sizeof(struct srventry));
213                     }
214                   break;
215                 }
216             }
217         }
218     }
219   
220   return srvcount;
221
222  noanswer:
223   free(*list);
224   *list=NULL;
225   return 0;
226
227  fail:
228   free(*list);
229   *list=NULL;
230   return -1;
231 }
232
233 #ifdef TEST
234 int
235 main(int argc,char *argv[])
236 {
237   struct srventry *srv;
238   int rc,i;
239
240   if(argc!=2)
241     {
242       fprintf(stderr,"%s {srv}\n",argv[0]);
243       fprintf(stderr," Try %s _hkp._tcp.wwwkeys.pgp.net\n",argv[0]);
244       return 1;
245     }
246
247   rc=getsrv(argv[1],&srv);
248   printf("Count=%d\n\n",rc);
249   for(i=0;i<rc;i++)
250     {
251       printf("priority=%d\n",srv[i].priority);
252       printf("weight=%d\n",srv[i].weight);
253       printf("port=%d\n",srv[i].port);
254       printf("target=%s\n",srv[i].target);
255       printf("\n");
256     }
257
258   free(srv);
259
260   return 0;
261 }
262 #endif /* TEST */
263
264 /*
265 Local Variables:
266 compile-command: "cc -DTEST -I.. -I../include -Wall -g -o srv srv.c -lresolv libutil.a"
267 End:
268 */