From 9b132e556774c744f9052581d2d8d0fab417e97c Mon Sep 17 00:00:00 2001 From: Alexey Izbyshev Date: Sun, 29 Jan 2023 19:46:51 +0300 Subject: prevent CNAME/PTR parsing from reading data past the response end DNS parsing callbacks pass the response buffer end instead of the actual response end to dn_expand, so a malformed DNS response can use message compression to make dn_expand jump past the response end and attempt to parse uninitialized parts of that buffer, which might succeed and return garbage. --- src/network/dns_parse.c | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) (limited to 'src/network/dns_parse.c') diff --git a/src/network/dns_parse.c b/src/network/dns_parse.c index 320df60d..7f83e791 100644 --- a/src/network/dns_parse.c +++ b/src/network/dns_parse.c @@ -1,7 +1,7 @@ #include #include "lookup.h" -int __dns_parse(const unsigned char *r, int rlen, int (*callback)(void *, int, const void *, int, const void *), void *ctx) +int __dns_parse(const unsigned char *r, int rlen, int (*callback)(void *, int, const void *, int, const void *, int), void *ctx) { int qdcount, ancount; const unsigned char *p; @@ -26,7 +26,7 @@ int __dns_parse(const unsigned char *r, int rlen, int (*callback)(void *, int, c p += 1 + !!*p; len = p[8]*256 + p[9]; if (len+10 > r+rlen-p) return -1; - if (callback(ctx, p[1], p+10, len, r) < 0) return -1; + if (callback(ctx, p[1], p+10, len, r, rlen) < 0) return -1; p += 10 + len; } return 0; -- cgit v1.2.1