prevent CNAME/PTR parsing from reading data past the response end

DNS parsing callbacks pass the response buffer end instead of the actual response end to dn_expand, so a malformed DNS response can use message compression to make dn_expand jump past the response end and attempt to parse uninitialized parts of that buffer, which might succeed and return garbage.
author: Alexey Izbyshev <izbyshev@ispras.ru> 2023-01-29 19:46:51 +0300
committer: Rich Felker <dalias@aerifal.cx> 2023-02-27 10:03:06 -0500
commit: 9b132e556774c744f9052581d2d8d0fab417e97c (patch)
tree: cbb516502c92f69bb6b01c82dbb7c30fed845c56 /src/network/lookup_name.c
parent: 12590c8bbd04ea484cee86812e2258fbdfca0e59 (diff)
download: musl-9b132e556774c744f9052581d2d8d0fab417e97c.tar.gz
1 files changed, 2 insertions, 2 deletions
diff --git a/src/network/lookup_name.c b/src/network/lookup_name.c
index 5f6867cb..f268bcda 100644
--- a/src/network/lookup_name.c
+++ b/src/network/lookup_name.c
@@ -111,13 +111,13 @@ struct dpc_ctx {
 
 #define ABUF_SIZE 768
 
-static int dns_parse_callback(void *c, int rr, const void *data, int len, const void *packet)
+static int dns_parse_callback(void *c, int rr, const void *data, int len, const void *packet, int plen)
 {
 	char tmp[256];
 	int family;
 	struct dpc_ctx *ctx = c;
 	if (rr == RR_CNAME) {
-		if (__dn_expand(packet, (const unsigned char *)packet + ABUF_SIZE,
+		if (__dn_expand(packet, (const unsigned char *)packet + plen,
 		    data, tmp, sizeof tmp) > 0 && is_valid_hostname(tmp))
 			strcpy(ctx->canon, tmp);
 		return 0;
author	Alexey Izbyshev <izbyshev@ispras.ru>	2023-01-29 19:46:51 +0300
committer	Rich Felker <dalias@aerifal.cx>	2023-02-27 10:03:06 -0500
commit	9b132e556774c744f9052581d2d8d0fab417e97c (patch)
tree	cbb516502c92f69bb6b01c82dbb7c30fed845c56 /src/network/lookup_name.c
parent	12590c8bbd04ea484cee86812e2258fbdfca0e59 (diff)
download	musl-9b132e556774c744f9052581d2d8d0fab417e97c.tar.gz