summaryrefslogtreecommitdiff
path: root/ares_parse_srv_reply.c
diff options
context:
space:
mode:
authorPatrick Valsecchi <pvalsecc@cisco.com>2013-04-15 22:28:01 +0200
committerDaniel Stenberg <daniel@haxx.se>2013-04-15 22:28:01 +0200
commit148c8e0353d93d7c00003da5a0b8eda2079bc8b9 (patch)
tree2b9dca4769d2fb1b380ac8b6beae6b1183d3b402 /ares_parse_srv_reply.c
parent2004a7a1115e25128170e40470eba8603f7080da (diff)
downloadc-ares-148c8e0353d93d7c00003da5a0b8eda2079bc8b9.tar.gz
c-ares-148c8e0353d93d7c00003da5a0b8eda2079bc8b9.tar.bz2
c-ares-148c8e0353d93d7c00003da5a0b8eda2079bc8b9.zip
protocol parsing: check input data stricter
... so that bad length fields aren't blindly accepted Bug: http://c-ares.haxx.se/mail/c-ares-archive-2013-04/0016.shtml
Diffstat (limited to 'ares_parse_srv_reply.c')
-rw-r--r--ares_parse_srv_reply.c5
1 files changed, 5 insertions, 0 deletions
diff --git a/ares_parse_srv_reply.c b/ares_parse_srv_reply.c
index 9f61f19..0739c27 100644
--- a/ares_parse_srv_reply.c
+++ b/ares_parse_srv_reply.c
@@ -105,6 +105,11 @@ ares_parse_srv_reply (const unsigned char *abuf, int alen,
rr_class = DNS_RR_CLASS (aptr);
rr_len = DNS_RR_LEN (aptr);
aptr += RRFIXEDSZ;
+ if (aptr + rr_len > abuf + alen)
+ {
+ status = ARES_EBADRESP;
+ break;
+ }
/* Check if we are really looking at a SRV record */
if (rr_class == C_IN && rr_type == T_SRV)