summaryrefslogtreecommitdiff
diff options
context:
space:
mode:
authorJiung <jiung.yu@samsung.com>2017-08-07 04:56:32 (GMT)
committerJiung <jiung.yu@samsung.com>2017-08-07 04:56:35 (GMT)
commitedc447f2f3134d81575f16b1701fc802161f153f (patch)
treea5377c7630cabe27fee1e0c53e81175f8882c234
parent45e88a8337839e5fd88519bc55467053d521c9f6 (diff)
downloadc-ares-tizen.zip
c-ares-tizen.tar.gz
c-ares-tizen.tar.bz2
ares_parse_naptr_reply: check sufficient dataHEADtizenrefs/changes/91/142691/1
Description: https://github.com/c-ares/c-ares/commit/9478908a490a6bf009ba58d81de8c1d06d50a117 ares_parse_naptr_reply: check sufficient data Check that there is enough data for the required elements of an NAPTR record (2 int16, 3 bytes for string lengths) before processing a record. https://github.com/c-ares/c-ares/commit/18ea99693d63f957ecb670045adbd2c1da8a4641 ares_parse_naptr_reply: make buffer length check more accurate 9478908 introduced a length check for records parsed by `ares_parse_naptr_reply()`. However, that function is designed to parse replies which also contain non-NAPTR records; for A records, the `rr_len > 7` check will fail as there are only 4 bytes of payload. In particular, parsing ANY replies for NAPTR records was broken by that patch. Fix that by moving the check into the case in which it is already known that the record is a NAPTR record. Change-Id: I7ca730c0367ff1cc416e67a3a99021438d237666
-rw-r--r--ares_parse_naptr_reply.c7
1 files changed, 7 insertions, 0 deletions
diff --git a/ares_parse_naptr_reply.c b/ares_parse_naptr_reply.c
index 11634df..0e37b02 100644
--- a/ares_parse_naptr_reply.c
+++ b/ares_parse_naptr_reply.c
@@ -116,6 +116,13 @@ ares_parse_naptr_reply (const unsigned char *abuf, int alen,
{
/* parse the NAPTR record itself */
+ /* RR must contain at least 7 bytes = 2 x int16 + 3 x name */
+ if (rr_len < 7)
+ {
+ status = ARES_EBADRESP;
+ break;
+ }
+
/* Allocate storage for this NAPTR answer appending it to the list */
naptr_curr = ares_malloc_data(ARES_DATATYPE_NAPTR_REPLY);
if (!naptr_curr)