dns: check length field in tcp response message

The received length field in the message may be greater than the size of the 'answer' buffer in which the message resides. Currently, ABUF_SIZE is 768. And if we get a larger 'alens[i]', it will result in an out-of-bounds reading in __dns_parse(). To fix this, limit the length to the size of the received buffer.
author: Alexey Kodanev <aleksei.kodanev@bell-sw.com> 2023-03-22 17:48:40 +0300
committer: Rich Felker <dalias@aerifal.cx> 2023-04-07 20:44:20 -0400
commit: 77327ed064bd57b0e1865cd0e0364057ff4a53b4 (patch)
tree: 456aa3bfdc5ff2c84c5e1eb68bf49002d386adf3 /src
parent: 1d5750b95c06913a1f18a995481276d698d20fae (diff)
download: musl-77327ed064bd57b0e1865cd0e0364057ff4a53b4.tar.gz
musl-77327ed064bd57b0e1865cd0e0364057ff4a53b4.tar.bz2
musl-77327ed064bd57b0e1865cd0e0364057ff4a53b4.tar.xz
musl-77327ed064bd57b0e1865cd0e0364057ff4a53b4.zip
1 files changed, 1 insertions, 0 deletions
diff --git a/src/network/lookup_name.c b/src/network/lookup_name.c
index f268bcda..4281482e 100644
--- a/src/network/lookup_name.c
+++ b/src/network/lookup_name.c
@@ -179,6 +179,7 @@ static int name_from_dns(struct address buf[static MAXADDRS], char canon[static
 
 	for (i=nq-1; i>=0; i--) {
 		ctx.rrtype = qtypes[i];
+		if (alens[i] > sizeof(abuf[i])) alens[i] = sizeof abuf[i];
 		__dns_parse(abuf[i], alens[i], dns_parse_callback, &ctx);
 	}
author	Alexey Kodanev <aleksei.kodanev@bell-sw.com>	2023-03-22 17:48:40 +0300
committer	Rich Felker <dalias@aerifal.cx>	2023-04-07 20:44:20 -0400
commit	77327ed064bd57b0e1865cd0e0364057ff4a53b4 (patch)
tree	456aa3bfdc5ff2c84c5e1eb68bf49002d386adf3 /src
parent	1d5750b95c06913a1f18a995481276d698d20fae (diff)
download	musl-77327ed064bd57b0e1865cd0e0364057ff4a53b4.tar.gz musl-77327ed064bd57b0e1865cd0e0364057ff4a53b4.tar.bz2 musl-77327ed064bd57b0e1865cd0e0364057ff4a53b4.tar.xz musl-77327ed064bd57b0e1865cd0e0364057ff4a53b4.zip