summaryrefslogtreecommitdiff
path: root/ares_parse_txt_reply.c
diff options
context:
space:
mode:
authorPatrick Valsecchi <pvalsecc@cisco.com>2013-04-15 20:28:01 (GMT)
committerDaniel Stenberg <daniel@haxx.se>2013-04-15 20:28:01 (GMT)
commit148c8e0353d93d7c00003da5a0b8eda2079bc8b9 (patch)
tree2b9dca4769d2fb1b380ac8b6beae6b1183d3b402 /ares_parse_txt_reply.c
parent2004a7a1115e25128170e40470eba8603f7080da (diff)
downloadc-ares-148c8e0353d93d7c00003da5a0b8eda2079bc8b9.zip
c-ares-148c8e0353d93d7c00003da5a0b8eda2079bc8b9.tar.gz
c-ares-148c8e0353d93d7c00003da5a0b8eda2079bc8b9.tar.bz2
protocol parsing: check input data stricter
... so that bad length fields aren't blindly accepted Bug: http://c-ares.haxx.se/mail/c-ares-archive-2013-04/0016.shtml
Diffstat (limited to 'ares_parse_txt_reply.c')
-rw-r--r--ares_parse_txt_reply.c11
1 files changed, 11 insertions, 0 deletions
diff --git a/ares_parse_txt_reply.c b/ares_parse_txt_reply.c
index dcc6473..3a43d6a 100644
--- a/ares_parse_txt_reply.c
+++ b/ares_parse_txt_reply.c
@@ -106,6 +106,11 @@ ares_parse_txt_reply (const unsigned char *abuf, int alen,
rr_class = DNS_RR_CLASS (aptr);
rr_len = DNS_RR_LEN (aptr);
aptr += RRFIXEDSZ;
+ if (aptr + rr_len > abuf + alen)
+ {
+ status = ARES_EBADRESP;
+ break;
+ }
/* Check if we are really looking at a TXT record */
if (rr_class == C_IN && rr_type == T_TXT)
@@ -144,6 +149,12 @@ ares_parse_txt_reply (const unsigned char *abuf, int alen,
strptr += substr_len + 1;
}
+ if (strptr != (aptr + rr_len))
+ {
+ status = ARES_EBADRESP;
+ break;
+ }
+
/* Including null byte */
txt_curr->txt = malloc (txt_curr->length + 1);
if (txt_curr->txt == NULL)