fix out-of-bounds reads in __dns_parse

There are several issues with range checks in this function:

* The question section parsing loop can read up to two out-of-bounds
  bytes before doing the range check and bailing out.

* The answer section parsing loop, in addition to the same issue as
  above, uses the wrong length in the range check that doesn't prevent
  OOB reads when computing len later.

* The len range check before calling the callback is off by 10. Also,
  p+len can overflow in a (probably theoretical) case when p is within
  2^16 from UINTPTR_MAX.

Because __dns_parse is used only with stack-allocated buffers, such
small overreads can't result in a segfault. The first two also don't
affect the function result, but the last one may result in getaddrinfo
incorrectly succeeding and returning up to 10 bytes past the
response buffer as a part of the IP address, and in (canon) name
returned by getaddrinfo/getnameinfo being affected by memory past the
response buffer (because dn_expand might interpret it as a pointer).

1 files changed, 3 insertions, 3 deletions

diff --git a/src/network/dns_parse.c b/src/network/dns_parse.c
index e6ee19d9..320df60d 100644
--- a/src/network/dns_parse.c
+++ b/src/network/dns_parse.c
@@ -15,17 +15,17 @@ int __dns_parse(const unsigned char *r, int rlen, int (*callback)(void *, int, c
 	if (qdcount+ancount > 64) return -1;
 	while (qdcount--) {
 		while (p-r < rlen && *p-1U < 127) p++;
-		if (*p>193 || (*p==193 && p[1]>254) || p>r+rlen-6)
+		if (p>r+rlen-6 || *p>193 || (*p==193 && p[1]>254))
 			return -1;
 		p += 5 + !!*p;
 	}
 	while (ancount--) {
 		while (p-r < rlen && *p-1U < 127) p++;
-		if (*p>193 || (*p==193 && p[1]>254) || p>r+rlen-6)
+		if (p>r+rlen-12 || *p>193 || (*p==193 && p[1]>254))
 			return -1;
 		p += 1 + !!*p;
 		len = p[8]*256 + p[9];
-		if (p+len > r+rlen) return -1;
+		if (len+10 > r+rlen-p) return -1;
 		if (callback(ctx, p[1], p+10, len, r) < 0) return -1;
 		p += 10 + len;
 	}