fix some validation checks in dns response parsing code

since the buffer passed always has an actual size of 512 bytes, the maximum possible response packet size, no out-of-bounds access was possible; however, reading past the end of the valid portion of the packet could cause the parser to attempt to process junk as answer content.

fix some validation checks in dns response parsing code
since the buffer passed always has an actual size of 512 bytes, the maximum possible response packet size, no out-of-bounds access was possible; however, reading past the end of the valid portion of the packet could cause the parser to attempt to process junk as answer content.
ac2a7893 · Rich Felker · 8fba4458 · ac2a7893
隐藏空白更改
内联并排

Showing with 3 addition and 2 deletion

src/network/dns_parse.c src/network/dns_parse.c +3 -2

未找到文件。
--- a/src/network/dns_parse.c
+++ b/src/network/dns_parse.c
@@ -6,6 +6,7 @@ int __dns_parse(const unsigned char *r, int rlen, int (*callback)(void *, int, c
 	const unsigned char *p;
 	int len;

+	if (rlen<12) return -1;
 	if ((r[3]&15)) return 0;
 	p = r+12;
 	qdcount = r[4]*256 + r[5];
@@ -13,13 +14,13 @@ int __dns_parse(const unsigned char *r, int rlen, int (*callback)(void *, int, c
 	if (qdcount+ancount > 64) return -1;
 	while (qdcount--) {
 		while (p-r < rlen && *p-1U < 127) p++;
-		if (*p>193 || (*p==193 && p[1]>254) || p>r+506)
+		if (*p>193 || (*p==193 && p[1]>254) || p>r+rlen-6)
 			return -1;
 		p += 5 + !!*p;
 	}
 	while (ancount--) {
 		while (p-r < rlen && *p-1U < 127) p++;
-		if (*p>193 || (*p==193 && p[1]>254) || p>r+506)
+		if (*p>193 || (*p==193 && p[1]>254) || p>r+rlen-6)
 			return -1;
 		p += 1 + !!*p;
 		len = p[8]*256 + p[9];