summaryrefslogtreecommitdiff
path: root/src
diff options
context:
space:
mode:
authorSeonah Moon <seonah1.moon@samsung.com>2017-10-16 18:41:09 +0900
committerSeonah Moon <seonah1.moon@samsung.com>2018-01-25 17:59:21 +0900
commit7a8e76aa62fdf064689c63bc7b1b4ebf7e76cd3f (patch)
treea89f5daf45608bff49b842567f35f323fb246d68 /src
parentc89c363213d85f0916451cddacf359be0400dcbb (diff)
downloaddnsmasq-7a8e76aa62fdf064689c63bc7b1b4ebf7e76cd3f.tar.gz
dnsmasq-7a8e76aa62fdf064689c63bc7b1b4ebf7e76cd3f.tar.bz2
dnsmasq-7a8e76aa62fdf064689c63bc7b1b4ebf7e76cd3f.zip
Security fix, CVE-2017-14491, DNS heap buffer overflow.(2)submit/tizen/20180125.231631accepted/tizen/unified/20180126.042808
Further fix to 0549c73b7ea6b22a3c49beb4d432f185a81efcbc Handles case when RR name is not a pointer to the question, only occurs for some auth-mode replies, therefore not detected by fuzzing (?) http://thekelleys.org.uk/gitweb/?p=dnsmasq.git;a=commit;h=62cb936cb7ad5f219715515ae7d32dd281a5aa1f Change-Id: I7f7fb931776dc3a9fa50a2811758c1da6dd44f0d Signed-off-by: Seonah Moon <seonah1.moon@samsung.com>
Diffstat (limited to 'src')
-rw-r--r--src/rfc1035.c17
1 files changed, 10 insertions, 7 deletions
diff --git a/src/rfc1035.c b/src/rfc1035.c
index 605196a..26a2254 100644
--- a/src/rfc1035.c
+++ b/src/rfc1035.c
@@ -1383,19 +1383,15 @@ int add_resource_record(struct dns_header *header, char *limit, int *truncp, int
va_start(ap, format); /* make ap point to 1st unamed argument */
- /* nameoffset (1 or 2) + type (2) + class (2) + ttl (4) + 0 (2) */
- CHECK_LIMIT(12);
-
if (nameoffset > 0)
{
+ CHECK_LIMIT(2);
PUTSHORT(nameoffset | 0xc000, p);
}
else
{
char *name = va_arg(ap, char *);
- if (name)
- p = do_rfc1035_name(p, name, limit);
- if (!p)
+ if (name && !(p = do_rfc1035_name(p, name, limit)))
{
va_end(ap);
goto truncated;
@@ -1403,12 +1399,19 @@ int add_resource_record(struct dns_header *header, char *limit, int *truncp, int
if (nameoffset < 0)
{
+ CHECK_LIMIT(2);
PUTSHORT(-nameoffset | 0xc000, p);
}
else
- *p++ = 0;
+ {
+ CHECK_LIMIT(1);
+ *p++ = 0;
+ }
}
+ /* type (2) + class (2) + ttl (4) + rdlen (2) */
+ CHECK_LIMIT(10);
+
PUTSHORT(type, p);
PUTSHORT(class, p);
PUTLONG(ttl, p); /* TTL */