BUG: dns: Prevent out-of-bounds read in dns_read_name()

Some callers of dns_read_name() do not make sure that we can read
the first byte, holding the length of the next label, without going
past our buffer, so we need to make sure of that.
In addition, if the label is a compressed one we need to make sure
that we can read the following byte to compute the target offset.

To be backported to 1.8, probably also 1.7.
This commit is contained in:
Remi Gacogne 2018-12-05 17:55:10 +01:00 committed by Willy Tarreau
parent 58df5aea0a
commit 2d19fbcab2

View File

@ -402,8 +402,14 @@ int dns_read_name(unsigned char *buffer, unsigned char *bufend,
char *dest = destination;
while (1) {
if (reader >= bufend)
goto err;
/* Name compression is in use */
if ((*reader & 0xc0) == 0xc0) {
if (reader + 1 >= bufend)
goto err;
/* Must point BEFORE current position */
if ((buffer + reader[1]) > reader)
goto err;