From 12590c8bbd04ea484cee86812e2258fbdfca0e59 Mon Sep 17 00:00:00 2001 From: Alexey Izbyshev Date: Sat, 28 Jan 2023 00:17:37 +0300 Subject: fix out-of-bounds reads in __dns_parse There are several issues with range checks in this function: * The question section parsing loop can read up to two out-of-bounds bytes before doing the range check and bailing out. * The answer section parsing loop, in addition to the same issue as above, uses the wrong length in the range check that doesn't prevent OOB reads when computing len later. * The len range check before calling the callback is off by 10. Also, p+len can overflow in a (probably theoretical) case when p is within 2^16 from UINTPTR_MAX. Because __dns_parse is used only with stack-allocated buffers, such small overreads can't result in a segfault. The first two also don't affect the function result, but the last one may result in getaddrinfo incorrectly succeeding and returning up to 10 bytes past the response buffer as a part of the IP address, and in (canon) name returned by getaddrinfo/getnameinfo being affected by memory past the response buffer (because dn_expand might interpret it as a pointer). --- src/network/dns_parse.c | 6 +++--- 1 file changed, 3 insertions(+), 3 deletions(-) diff --git a/src/network/dns_parse.c b/src/network/dns_parse.c index e6ee19d9..320df60d 100644 --- a/src/network/dns_parse.c +++ b/src/network/dns_parse.c @@ -15,17 +15,17 @@ int __dns_parse(const unsigned char *r, int rlen, int (*callback)(void *, int, c if (qdcount+ancount > 64) return -1; while (qdcount--) { while (p-r < rlen && *p-1U < 127) p++; - if (*p>193 || (*p==193 && p[1]>254) || p>r+rlen-6) + if (p>r+rlen-6 || *p>193 || (*p==193 && p[1]>254)) return -1; p += 5 + !!*p; } while (ancount--) { while (p-r < rlen && *p-1U < 127) p++; - if (*p>193 || (*p==193 && p[1]>254) || p>r+rlen-6) + if (p>r+rlen-12 || *p>193 || (*p==193 && p[1]>254)) return -1; p += 1 + !!*p; len = p[8]*256 + p[9]; - if (p+len > r+rlen) return -1; + if (len+10 > r+rlen-p) return -1; if (callback(ctx, p[1], p+10, len, r) < 0) return -1; p += 10 + len; } -- cgit v1.2.3-70-g09d2