diff options
author | Rich Felker <dalias@aerifal.cx> | 2014-06-03 01:43:29 -0400 |
---|---|---|
committer | Rich Felker <dalias@aerifal.cx> | 2014-06-03 01:43:29 -0400 |
commit | ac2a7893427b6c94f05609d214178f8d5a18b333 (patch) | |
tree | f1b3b8cdc8130be55c1327023a02c4c6686f101b | |
parent | 8fba4458afb7304b32ca887e4a3990c6029131f9 (diff) | |
download | musl-ac2a7893427b6c94f05609d214178f8d5a18b333.tar.gz musl-ac2a7893427b6c94f05609d214178f8d5a18b333.tar.bz2 musl-ac2a7893427b6c94f05609d214178f8d5a18b333.tar.xz musl-ac2a7893427b6c94f05609d214178f8d5a18b333.zip |
fix some validation checks in dns response parsing code
since the buffer passed always has an actual size of 512 bytes, the
maximum possible response packet size, no out-of-bounds access was
possible; however, reading past the end of the valid portion of the
packet could cause the parser to attempt to process junk as answer
content.
-rw-r--r-- | src/network/dns_parse.c | 5 |
1 files changed, 3 insertions, 2 deletions
diff --git a/src/network/dns_parse.c b/src/network/dns_parse.c index aa0d39f3..0c7a6011 100644 --- a/src/network/dns_parse.c +++ b/src/network/dns_parse.c @@ -6,6 +6,7 @@ int __dns_parse(const unsigned char *r, int rlen, int (*callback)(void *, int, c const unsigned char *p; int len; + if (rlen<12) return -1; if ((r[3]&15)) return 0; p = r+12; qdcount = r[4]*256 + r[5]; @@ -13,13 +14,13 @@ int __dns_parse(const unsigned char *r, int rlen, int (*callback)(void *, int, c if (qdcount+ancount > 64) return -1; while (qdcount--) { while (p-r < rlen && *p-1U < 127) p++; - if (*p>193 || (*p==193 && p[1]>254) || p>r+506) + if (*p>193 || (*p==193 && p[1]>254) || p>r+rlen-6) return -1; p += 5 + !!*p; } while (ancount--) { while (p-r < rlen && *p-1U < 127) p++; - if (*p>193 || (*p==193 && p[1]>254) || p>r+506) + if (*p>193 || (*p==193 && p[1]>254) || p>r+rlen-6) return -1; p += 1 + !!*p; len = p[8]*256 + p[9]; |