From ac2a7893427b6c94f05609d214178f8d5a18b333 Mon Sep 17 00:00:00 2001
From: Rich Felker <dalias@aerifal.cx>
Date: Tue, 3 Jun 2014 01:43:29 -0400
Subject: fix some validation checks in dns response parsing code

since the buffer passed always has an actual size of 512 bytes, the
maximum possible response packet size, no out-of-bounds access was
possible; however, reading past the end of the valid portion of the
packet could cause the parser to attempt to process junk as answer
content.
---
 src/network/dns_parse.c | 5 +++--
 1 file changed, 3 insertions(+), 2 deletions(-)

diff --git a/src/network/dns_parse.c b/src/network/dns_parse.c
index aa0d39f3..0c7a6011 100644
--- a/src/network/dns_parse.c
+++ b/src/network/dns_parse.c
@@ -6,6 +6,7 @@ int __dns_parse(const unsigned char *r, int rlen, int (*callback)(void *, int, c
 	const unsigned char *p;
 	int len;
 
+	if (rlen<12) return -1;
 	if ((r[3]&15)) return 0;
 	p = r+12;
 	qdcount = r[4]*256 + r[5];
@@ -13,13 +14,13 @@ int __dns_parse(const unsigned char *r, int rlen, int (*callback)(void *, int, c
 	if (qdcount+ancount > 64) return -1;
 	while (qdcount--) {
 		while (p-r < rlen && *p-1U < 127) p++;
-		if (*p>193 || (*p==193 && p[1]>254) || p>r+506)
+		if (*p>193 || (*p==193 && p[1]>254) || p>r+rlen-6)
 			return -1;
 		p += 5 + !!*p;
 	}
 	while (ancount--) {
 		while (p-r < rlen && *p-1U < 127) p++;
-		if (*p>193 || (*p==193 && p[1]>254) || p>r+506)
+		if (*p>193 || (*p==193 && p[1]>254) || p>r+rlen-6)
 			return -1;
 		p += 1 + !!*p;
 		len = p[8]*256 + p[9];
-- 
cgit v1.2.1