Security fix, CVE-2017-14491, DNS heap buffer overflow.(2)submit/tizen/20180125.231631accepted/tizen/unified/20180126.042808

Further fix to 0549c73b7ea6b22a3c49beb4d432f185a81efcbc
Handles case when RR name is not a pointer to the question,
only occurs for some auth-mode replies, therefore not
detected by fuzzing (?)

http://thekelleys.org.uk/gitweb/?p=dnsmasq.git;a=commit;h=62cb936cb7ad5f219715515ae7d32dd281a5aa1f

Change-Id: I7f7fb931776dc3a9fa50a2811758c1da6dd44f0d
Signed-off-by: Seonah Moon <seonah1.moon@samsung.com>

1 files changed, 10 insertions, 7 deletions

diff --git a/src/rfc1035.c b/src/rfc1035.c
index 605196a..26a2254 100644
--- a/src/rfc1035.c
+++ b/src/rfc1035.c
@@ -1383,19 +1383,15 @@ int add_resource_record(struct dns_header *header, char *limit, int *truncp, int
 
   va_start(ap, format);   /* make ap point to 1st unamed argument */
 
-  /* nameoffset (1 or 2) + type (2) + class (2) + ttl (4) + 0 (2) */
-  CHECK_LIMIT(12);
-
   if (nameoffset > 0)
     {
+      CHECK_LIMIT(2);
       PUTSHORT(nameoffset | 0xc000, p);
     }
   else
     {
       char *name = va_arg(ap, char *);
-	  if (name)
-      p = do_rfc1035_name(p, name, limit);
-	  if (!p)
+	  if (name && !(p = do_rfc1035_name(p, name, limit)))
 	  {
 		  va_end(ap);
 		  goto truncated;
@@ -1403,12 +1399,19 @@ int add_resource_record(struct dns_header *header, char *limit, int *truncp, int
 
       if (nameoffset < 0)
 	{
+      CHECK_LIMIT(2);
 	  PUTSHORT(-nameoffset | 0xc000, p);
 	}
       else
-	*p++ = 0;
+    {
+      CHECK_LIMIT(1);
+	  *p++ = 0;
+	}
     }
 
+  /* type (2) + class (2) + ttl (4) + rdlen (2) */
+  CHECK_LIMIT(10);
+
   PUTSHORT(type, p);
   PUTSHORT(class, p);
   PUTLONG(ttl, p);      /* TTL */