summaryrefslogtreecommitdiff
diff options
context:
space:
mode:
authorRich Felker <dalias@aerifal.cx>2017-10-18 18:50:03 (GMT)
committerRich Felker <dalias@aerifal.cx>2017-10-18 18:50:03 (GMT)
commit45ca5d3fcb6f874bf5ba55d0e9651cef68515395 (patch)
tree277fae4ad1db979b38153b3118323ffe98a0a549
parent5b5eb527c5ed5ca2786bf82892a04ca3bdf33d31 (diff)
downloadmusl-45ca5d3fcb6f874bf5ba55d0e9651cef68515395.tar.gz
in dns parsing callback, enforce MAXADDRS to preclude overflow
MAXADDRS was chosen not to need enforcement, but the logic used to compute it assumes the answers received match the RR types of the queries. specifically, it assumes that only one replu contains A record answers. if the replies to both the A and the AAAA query have their answer sections filled with A records, MAXADDRS can be exceeded and clobber the stack of the calling function. this bug was found and reported by Felix Wilhelm.
-rw-r--r--src/network/lookup_name.c1
1 files changed, 1 insertions, 0 deletions
diff --git a/src/network/lookup_name.c b/src/network/lookup_name.c
index 066be4d..209c20f 100644
--- a/src/network/lookup_name.c
+++ b/src/network/lookup_name.c
@@ -111,6 +111,7 @@ static int dns_parse_callback(void *c, int rr, const void *data, int len, const
{
char tmp[256];
struct dpc_ctx *ctx = c;
+ if (ctx->cnt >= MAXADDRS) return -1;
switch (rr) {
case RR_A:
if (len != 4) return -1;