From 2d19fbcab21356f5aee1f2a52591a38665360bb6 Mon Sep 17 00:00:00 2001 From: Remi Gacogne Date: Wed, 5 Dec 2018 17:55:10 +0100 Subject: [PATCH] BUG: dns: Prevent out-of-bounds read in dns_read_name() Some callers of dns_read_name() do not make sure that we can read the first byte, holding the length of the next label, without going past our buffer, so we need to make sure of that. In addition, if the label is a compressed one we need to make sure that we can read the following byte to compute the target offset. To be backported to 1.8, probably also 1.7. --- src/dns.c | 6 ++++++ 1 file changed, 6 insertions(+) diff --git a/src/dns.c b/src/dns.c index 50fc16e09..fead2613a 100644 --- a/src/dns.c +++ b/src/dns.c @@ -402,8 +402,14 @@ int dns_read_name(unsigned char *buffer, unsigned char *bufend, char *dest = destination; while (1) { + if (reader >= bufend) + goto err; + /* Name compression is in use */ if ((*reader & 0xc0) == 0xc0) { + if (reader + 1 >= bufend) + goto err; + /* Must point BEFORE current position */ if ((buffer + reader[1]) > reader) goto err;