diff options
| author | Patrick Valsecchi <pvalsecc@cisco.com> | 2013-04-15 22:28:01 +0200 |
|---|---|---|
| committer | Daniel Stenberg <daniel@haxx.se> | 2013-04-15 22:28:01 +0200 |
| commit | 148c8e0353d93d7c00003da5a0b8eda2079bc8b9 (patch) | |
| tree | 2b9dca4769d2fb1b380ac8b6beae6b1183d3b402 | |
| parent | 2004a7a1115e25128170e40470eba8603f7080da (diff) | |
| download | c-ares-148c8e0353d93d7c00003da5a0b8eda2079bc8b9.tar.gz c-ares-148c8e0353d93d7c00003da5a0b8eda2079bc8b9.tar.bz2 c-ares-148c8e0353d93d7c00003da5a0b8eda2079bc8b9.zip | |
protocol parsing: check input data stricter
... so that bad length fields aren't blindly accepted
Bug: http://c-ares.haxx.se/mail/c-ares-archive-2013-04/0016.shtml
| -rw-r--r-- | ares_expand_name.c | 2 | ||||
| -rw-r--r-- | ares_parse_a_reply.c | 6 | ||||
| -rw-r--r-- | ares_parse_aaaa_reply.c | 6 | ||||
| -rw-r--r-- | ares_parse_mx_reply.c | 5 | ||||
| -rw-r--r-- | ares_parse_naptr_reply.c | 5 | ||||
| -rw-r--r-- | ares_parse_ns_reply.c | 6 | ||||
| -rw-r--r-- | ares_parse_ptr_reply.c | 8 | ||||
| -rw-r--r-- | ares_parse_srv_reply.c | 5 | ||||
| -rw-r--r-- | ares_parse_txt_reply.c | 11 |
9 files changed, 52 insertions, 2 deletions
diff --git a/ares_expand_name.c b/ares_expand_name.c index a66dfa9..2aa12bc 100644 --- a/ares_expand_name.c +++ b/ares_expand_name.c @@ -143,7 +143,7 @@ static int name_length(const unsigned char *encoded, const unsigned char *abuf, int n = 0, offset, indir = 0; /* Allow the caller to pass us abuf + alen and have us check for it. */ - if (encoded == abuf + alen) + if (encoded >= abuf + alen) return -1; while (*encoded) diff --git a/ares_parse_a_reply.c b/ares_parse_a_reply.c index 9683ef5..a3ed69e 100644 --- a/ares_parse_a_reply.c +++ b/ares_parse_a_reply.c @@ -136,6 +136,12 @@ int ares_parse_a_reply(const unsigned char *abuf, int alen, rr_len = DNS_RR_LEN(aptr); rr_ttl = DNS_RR_TTL(aptr); aptr += RRFIXEDSZ; + if (aptr + rr_len > abuf + alen) + { + free(rr_name); + status = ARES_EBADRESP; + break; + } if (rr_class == C_IN && rr_type == T_A && rr_len == sizeof(struct in_addr) diff --git a/ares_parse_aaaa_reply.c b/ares_parse_aaaa_reply.c index 7731249..a34a307 100644 --- a/ares_parse_aaaa_reply.c +++ b/ares_parse_aaaa_reply.c @@ -136,6 +136,12 @@ int ares_parse_aaaa_reply(const unsigned char *abuf, int alen, rr_len = DNS_RR_LEN(aptr); rr_ttl = DNS_RR_TTL(aptr); aptr += RRFIXEDSZ; + if (aptr + rr_len > abuf + alen) + { + free(rr_name); + status = ARES_EBADRESP; + break; + } if (rr_class == C_IN && rr_type == T_AAAA && rr_len == sizeof(struct ares_in6_addr) diff --git a/ares_parse_mx_reply.c b/ares_parse_mx_reply.c index 32d3af4..95400dd 100644 --- a/ares_parse_mx_reply.c +++ b/ares_parse_mx_reply.c @@ -100,6 +100,11 @@ ares_parse_mx_reply (const unsigned char *abuf, int alen, rr_class = DNS_RR_CLASS (aptr); rr_len = DNS_RR_LEN (aptr); aptr += RRFIXEDSZ; + if (aptr + rr_len > abuf + alen) + { + status = ARES_EBADRESP; + break; + } /* Check if we are really looking at a MX record */ if (rr_class == C_IN && rr_type == T_MX) diff --git a/ares_parse_naptr_reply.c b/ares_parse_naptr_reply.c index 9315df7..4935366 100644 --- a/ares_parse_naptr_reply.c +++ b/ares_parse_naptr_reply.c @@ -105,6 +105,11 @@ ares_parse_naptr_reply (const unsigned char *abuf, int alen, rr_class = DNS_RR_CLASS (aptr); rr_len = DNS_RR_LEN (aptr); aptr += RRFIXEDSZ; + if (aptr + rr_len > abuf + alen) + { + status = ARES_EBADRESP; + break; + } /* Check if we are really looking at a NAPTR record */ if (rr_class == C_IN && rr_type == T_NAPTR) diff --git a/ares_parse_ns_reply.c b/ares_parse_ns_reply.c index 553f253..d331e67 100644 --- a/ares_parse_ns_reply.c +++ b/ares_parse_ns_reply.c @@ -105,6 +105,12 @@ int ares_parse_ns_reply( const unsigned char* abuf, int alen, rr_class = DNS_RR_CLASS( aptr ); rr_len = DNS_RR_LEN( aptr ); aptr += RRFIXEDSZ; + if (aptr + rr_len > abuf + alen) + { + free(rr_name); + status = ARES_EBADRESP; + break; + } if ( rr_class == C_IN && rr_type == T_NS ) { diff --git a/ares_parse_ptr_reply.c b/ares_parse_ptr_reply.c index b505b92..df21e40 100644 --- a/ares_parse_ptr_reply.c +++ b/ares_parse_ptr_reply.c @@ -103,6 +103,12 @@ int ares_parse_ptr_reply(const unsigned char *abuf, int alen, const void *addr, rr_class = DNS_RR_CLASS(aptr); rr_len = DNS_RR_LEN(aptr); aptr += RRFIXEDSZ; + if (aptr + rr_len > abuf + alen) + { + free(rr_name); + status = ARES_EBADRESP; + break; + } if (rr_class == C_IN && rr_type == T_PTR && strcasecmp(rr_name, ptrname) == 0) @@ -203,7 +209,7 @@ int ares_parse_ptr_reply(const unsigned char *abuf, int alen, const void *addr, status = ARES_ENOMEM; } for (i=0 ; i<aliascnt ; i++) - if (aliases[i]) + if (aliases[i]) free(aliases[i]); free(aliases); if (hostname) diff --git a/ares_parse_srv_reply.c b/ares_parse_srv_reply.c index 9f61f19..0739c27 100644 --- a/ares_parse_srv_reply.c +++ b/ares_parse_srv_reply.c @@ -105,6 +105,11 @@ ares_parse_srv_reply (const unsigned char *abuf, int alen, rr_class = DNS_RR_CLASS (aptr); rr_len = DNS_RR_LEN (aptr); aptr += RRFIXEDSZ; + if (aptr + rr_len > abuf + alen) + { + status = ARES_EBADRESP; + break; + } /* Check if we are really looking at a SRV record */ if (rr_class == C_IN && rr_type == T_SRV) diff --git a/ares_parse_txt_reply.c b/ares_parse_txt_reply.c index dcc6473..3a43d6a 100644 --- a/ares_parse_txt_reply.c +++ b/ares_parse_txt_reply.c @@ -106,6 +106,11 @@ ares_parse_txt_reply (const unsigned char *abuf, int alen, rr_class = DNS_RR_CLASS (aptr); rr_len = DNS_RR_LEN (aptr); aptr += RRFIXEDSZ; + if (aptr + rr_len > abuf + alen) + { + status = ARES_EBADRESP; + break; + } /* Check if we are really looking at a TXT record */ if (rr_class == C_IN && rr_type == T_TXT) @@ -144,6 +149,12 @@ ares_parse_txt_reply (const unsigned char *abuf, int alen, strptr += substr_len + 1; } + if (strptr != (aptr + rr_len)) + { + status = ARES_EBADRESP; + break; + } + /* Including null byte */ txt_curr->txt = malloc (txt_curr->length + 1); if (txt_curr->txt == NULL) |