From 9b132e556774c744f9052581d2d8d0fab417e97c Mon Sep 17 00:00:00 2001
From: Alexey Izbyshev <izbyshev@ispras.ru>
Date: Sun, 29 Jan 2023 19:46:51 +0300
Subject: prevent CNAME/PTR parsing from reading data past the response end

DNS parsing callbacks pass the response buffer end instead of the actual
response end to dn_expand, so a malformed DNS response can use message
compression to make dn_expand jump past the response end and attempt to
parse uninitialized parts of that buffer, which might succeed and return
garbage.
---
 src/network/getnameinfo.c | 4 ++--
 1 file changed, 2 insertions(+), 2 deletions(-)

(limited to 'src/network/getnameinfo.c')

diff --git a/src/network/getnameinfo.c b/src/network/getnameinfo.c
index 949e1811..080d3c06 100644
--- a/src/network/getnameinfo.c
+++ b/src/network/getnameinfo.c
@@ -108,10 +108,10 @@ static void reverse_services(char *buf, int port, int dgram)
 	__fclose_ca(f);
 }
 
-static int dns_parse_callback(void *c, int rr, const void *data, int len, const void *packet)
+static int dns_parse_callback(void *c, int rr, const void *data, int len, const void *packet, int plen)
 {
 	if (rr != RR_PTR) return 0;
-	if (__dn_expand(packet, (const unsigned char *)packet + 512,
+	if (__dn_expand(packet, (const unsigned char *)packet + plen,
 	    data, c, 256) <= 0)
 		*(char *)c = 0;
 	return 0;
-- 
cgit v1.2.1