diff options
author | Patrick Valsecchi <pvalsecc@cisco.com> | 2013-04-15 22:28:01 +0200 |
---|---|---|
committer | Daniel Stenberg <daniel@haxx.se> | 2013-04-15 22:28:01 +0200 |
commit | 148c8e0353d93d7c00003da5a0b8eda2079bc8b9 (patch) | |
tree | 2b9dca4769d2fb1b380ac8b6beae6b1183d3b402 /ares_parse_srv_reply.c | |
parent | 2004a7a1115e25128170e40470eba8603f7080da (diff) | |
download | c-ares-148c8e0353d93d7c00003da5a0b8eda2079bc8b9.tar.gz c-ares-148c8e0353d93d7c00003da5a0b8eda2079bc8b9.tar.bz2 c-ares-148c8e0353d93d7c00003da5a0b8eda2079bc8b9.zip |
protocol parsing: check input data stricter
... so that bad length fields aren't blindly accepted
Bug: http://c-ares.haxx.se/mail/c-ares-archive-2013-04/0016.shtml
Diffstat (limited to 'ares_parse_srv_reply.c')
-rw-r--r-- | ares_parse_srv_reply.c | 5 |
1 files changed, 5 insertions, 0 deletions
diff --git a/ares_parse_srv_reply.c b/ares_parse_srv_reply.c index 9f61f19..0739c27 100644 --- a/ares_parse_srv_reply.c +++ b/ares_parse_srv_reply.c @@ -105,6 +105,11 @@ ares_parse_srv_reply (const unsigned char *abuf, int alen, rr_class = DNS_RR_CLASS (aptr); rr_len = DNS_RR_LEN (aptr); aptr += RRFIXEDSZ; + if (aptr + rr_len > abuf + alen) + { + status = ARES_EBADRESP; + break; + } /* Check if we are really looking at a SRV record */ if (rr_class == C_IN && rr_type == T_SRV) |