RepoMirrors
/
musl
mirror of git://git.musl-libc.org/musl
1
0
Fork 0
Code Issues Packages Projects Releases Wiki Activity

fix some validation checks in dns response parsing code 

since the buffer passed always has an actual size of 512 bytes, the
maximum possible response packet size, no out-of-bounds access was
possible; however, reading past the end of the valid portion of the
packet could cause the parser to attempt to process junk as answer
content.
This commit is contained in:
Rich Felker 2014-06-03 01:43:29 -04:00
parent 8fba4458af
commit ac2a789342
1 changed files with 3 additions and 2 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

5
src/network/dns_parse.c
View File

@ -6,6 +6,7 @@ int __dns_parse(const unsigned char *r, int rlen, int (*callback)(void *, int, c
const unsigned char *p; const unsigned char *p;
int len; int len;
if (rlen<12) return -1;
if ((r[3]&15)) return 0; if ((r[3]&15)) return 0;
p = r+12; p = r+12;
qdcount = r[4]*256 + r[5]; qdcount = r[4]*256 + r[5];
@ -13,13 +14,13 @@ int __dns_parse(const unsigned char *r, int rlen, int (*callback)(void *, int, c
if (qdcount+ancount > 64) return -1; if (qdcount+ancount > 64) return -1;
while (qdcount--) { while (qdcount--) {
while (p-r < rlen && *p-1U < 127) p++; while (p-r < rlen && *p-1U < 127) p++;
if (*p>193 || (*p==193 && p[1]>254) || p>r+506) if (*p>193 || (*p==193 && p[1]>254) || p>r+rlen-6)
return -1; return -1;
p += 5 + !!*p; p += 5 + !!*p;
} }
while (ancount--) { while (ancount--) {
while (p-r < rlen && *p-1U < 127) p++; while (p-r < rlen && *p-1U < 127) p++;
if (*p>193 || (*p==193 && p[1]>254) || p>r+506) if (*p>193 || (*p==193 && p[1]>254) || p>r+rlen-6)
return -1; return -1;
p += 1 + !!*p; p += 1 + !!*p;
len = p[8]*256 + p[9]; len = p[8]*256 + p[9];