mirror of
http://git.haproxy.org/git/haproxy.git/
synced 2024-12-23 04:42:28 +00:00
BUG: dns: Prevent out-of-bounds read in dns_validate_dns_response()
We need to make sure that the record length is not making us read past the end of the data we received. Before this patch we could for example read the 16 bytes corresponding to an AAAA record from the non-initialized part of the buffer, possibly accessing anything that was left on the stack, or even past the end of the 8193-byte buffer, depending on the value of accepted_payload_size. To be backported to 1.8, probably also 1.7.
This commit is contained in:
parent
2d19fbcab2
commit
efbbdf7299
@ -810,6 +810,11 @@ static int dns_validate_dns_response(unsigned char *resp, unsigned char *bufend,
|
||||
/* Move forward 2 bytes for data len */
|
||||
reader += 2;
|
||||
|
||||
if (reader + dns_answer_record->data_len >= bufend) {
|
||||
pool_free(dns_answer_item_pool, dns_answer_record);
|
||||
return DNS_RESP_INVALID;
|
||||
}
|
||||
|
||||
/* Analyzing record content */
|
||||
switch (dns_answer_record->type) {
|
||||
case DNS_RTYPE_A:
|
||||
|
Loading…
Reference in New Issue
Block a user