1 files changed, 12 insertions, 7 deletions

diff --git a/ares_parse_aaaa_reply.c b/ares_parse_aaaa_reply.c
index 1fbe838..31e4a8c 100644
--- a/ares_parse_aaaa_reply.c
+++ b/ares_parse_aaaa_reply.c
@@ -17,9 +17,6 @@
 
 #include "ares_setup.h"
 
-#ifdef HAVE_SYS_SOCKET_H
-#  include <sys/socket.h>
-#endif
 #ifdef HAVE_NETINET_IN_H
 #  include <netinet/in.h>
 #endif
@@ -42,15 +39,13 @@
 #  include <strings.h>
 #endif
 
-#include <stdlib.h>
-#include <string.h>
 #ifdef HAVE_LIMITS_H
 #  include <limits.h>
 #endif
 
 #include "ares.h"
 #include "ares_dns.h"
-#include "inet_net_pton.h"
+#include "ares_inet_net_pton.h"
 #include "ares_private.h"
 
 int ares_parse_aaaa_reply(const unsigned char *abuf, int alen,
@@ -141,6 +136,12 @@ int ares_parse_aaaa_reply(const unsigned char *abuf, int alen,
       rr_len = DNS_RR_LEN(aptr);
       rr_ttl = DNS_RR_TTL(aptr);
       aptr += RRFIXEDSZ;
+      if (aptr + rr_len > abuf + alen)
+        {
+          free(rr_name);
+          status = ARES_EBADRESP;
+          break;
+        }
 
       if (rr_class == C_IN && rr_type == T_AAAA
           && rr_len == sizeof(struct ares_in6_addr)
@@ -204,7 +205,9 @@ int ares_parse_aaaa_reply(const unsigned char *abuf, int alen,
         }
     }
 
-  if (status == ARES_SUCCESS && naddrs == 0)
+  /* the check for naliases to be zero is to make sure CNAME responses
+     don't get caught here */
+  if (status == ARES_SUCCESS && naddrs == 0 && naliases == 0)
     status = ARES_ENODATA;
   if (status == ARES_SUCCESS)
     {
@@ -239,6 +242,8 @@ int ares_parse_aaaa_reply(const unsigned char *abuf, int alen,
                   for (i = 0; i < naddrs; i++)
                     hostent->h_addr_list[i] = (char *) &addrs[i];
                   hostent->h_addr_list[naddrs] = NULL;
+                  if (!naddrs && addrs)
+                    free(addrs);
                   *host = hostent;
                   return ARES_SUCCESS;
                 }