RepoMirrors/haproxy
1
0
Fork 0
mirror of http://git.haproxy.org/git/haproxy.git/ synced 2025-04-18 13:05:38 +00:00
Code Issues Packages Projects Releases Wiki Activity

BUG: dns: Fix out-of-bounds read via signedness error in dns_validate_dns_response()

Browse Source 
Since the data_len field of the dns_answer_item struct was an int16_t,
record length values larger than 2^15-1 were causing an integer
overflow and thus may have been interpreted as negative, making us
read well before the beginning of the buffer.
This might have led to information disclosure or a crash.

To be backported to 1.8, probably also 1.7.
This commit is contained in:
Remi Gacogne 2018-12-05 17:57:49 +01:00 committed by Willy Tarreau
parent efbbdf7299
commit bc552102ad
1 changed files with 1 additions and 1 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

2
include/types/dns.h
View File

@ -145,7 +145,7 @@ struct dns_answer_item {
int16_t priority; /* SRV type priority */
uint16_t weight; /* SRV type weight */
int16_t port; /* SRV type port */
int16_t data_len; /* number of bytes in target below */
uint16_t data_len; /* number of bytes in target below */
struct sockaddr address; /* IPv4 or IPv6, network format */
char target[DNS_MAX_NAME_SIZE]; /* Response data: SRV or CNAME type target */
time_t last_seen; /* When was the answer was last seen */