| From 45ca5d3fcb6f874bf5ba55d0e9651cef68515395 Mon Sep 17 00:00:00 2001 |
| From: Rich Felker <dalias@aerifal.cx> |
| Date: Wed, 18 Oct 2017 14:50:03 -0400 |
| Subject: [PATCH] in dns parsing callback, enforce MAXADDRS to preclude |
| overflow |
| |
| MAXADDRS was chosen not to need enforcement, but the logic used to |
| compute it assumes the answers received match the RR types of the |
| queries. specifically, it assumes that only one replu contains A |
| record answers. if the replies to both the A and the AAAA query have |
| their answer sections filled with A records, MAXADDRS can be exceeded |
| and clobber the stack of the calling function. |
| |
| this bug was found and reported by Felix Wilhelm. |
| |
| Signed-off-by: Peter Korsgaard <peter@korsgaard.com> |
| --- |
| src/network/lookup_name.c | 1 + |
| 1 file changed, 1 insertion(+) |
| |
| diff --git a/src/network/lookup_name.c b/src/network/lookup_name.c |
| index 066be4d5..209c20f0 100644 |
| --- a/src/network/lookup_name.c |
| +++ b/src/network/lookup_name.c |
| @@ -111,6 +111,7 @@ static int dns_parse_callback(void *c, int rr, const void *data, int len, const |
| { |
| char tmp[256]; |
| struct dpc_ctx *ctx = c; |
| + if (ctx->cnt >= MAXADDRS) return -1; |
| switch (rr) { |
| case RR_A: |
| if (len != 4) return -1; |
| -- |
| 2.11.0 |
| |
