From 9b132e556774c744f9052581d2d8d0fab417e97c Mon Sep 17 00:00:00 2001 From: Alexey Izbyshev Date: Sun, 29 Jan 2023 19:46:51 +0300 Subject: prevent CNAME/PTR parsing from reading data past the response end DNS parsing callbacks pass the response buffer end instead of the actual response end to dn_expand, so a malformed DNS response can use message compression to make dn_expand jump past the response end and attempt to parse uninitialized parts of that buffer, which might succeed and return garbage. --- src/network/lookup_name.c | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) (limited to 'src/network/lookup_name.c') diff --git a/src/network/lookup_name.c b/src/network/lookup_name.c index 5f6867cb..f268bcda 100644 --- a/src/network/lookup_name.c +++ b/src/network/lookup_name.c @@ -111,13 +111,13 @@ struct dpc_ctx { #define ABUF_SIZE 768 -static int dns_parse_callback(void *c, int rr, const void *data, int len, const void *packet) +static int dns_parse_callback(void *c, int rr, const void *data, int len, const void *packet, int plen) { char tmp[256]; int family; struct dpc_ctx *ctx = c; if (rr == RR_CNAME) { - if (__dn_expand(packet, (const unsigned char *)packet + ABUF_SIZE, + if (__dn_expand(packet, (const unsigned char *)packet + plen, data, tmp, sizeof tmp) > 0 && is_valid_hostname(tmp)) strcpy(ctx->canon, tmp); return 0; -- cgit v1.2.3