resolve: check for underflow of size parameter (#7889)

author Shawn Landden <slandden@gmail.com>

Wed, 17 Jan 2018 13:49:22 +0000 (05:49 -0800)

committer Zbigniew Jędrzejewski-Szmek <zbyszek@in.waw.pl>

Wed, 17 Jan 2018 13:49:22 +0000 (00:49 +1100)
author Shawn Landden <slandden@gmail.com>
Wed, 17 Jan 2018 13:49:22 +0000 (05:49 -0800)
committer Zbigniew Jędrzejewski-Szmek <zbyszek@in.waw.pl>
Wed, 17 Jan 2018 13:49:22 +0000 (00:49 +1100)
diff --git a/src/resolve/resolved-dns-packet.c b/src/resolve/resolved-dns-packet.c

index d7a839a..70260b3 100644 (file)
--- a/src/resolve/resolved-dns-packet.c
+++ b/src/resolve/resolved-dns-packet.c
@@ -1837,6 +1837,9 @@ int dns_packet_read_rr(DnsPacket *p, DnsResourceRecord **ret, bool *ret_cache_fl
                  if (r < 0)
                          return r;
  
+                if (rdlength < 4)
+                        return -EBADMSG;
+
                  r = dns_packet_read_memdup(p, rdlength - 4,
                                             &rr->ds.digest, &rr->ds.digest_size,
                                             NULL);
@@ -1859,6 +1862,9 @@ int dns_packet_read_rr(DnsPacket *p, DnsResourceRecord **ret, bool *ret_cache_fl
                  if (r < 0)
                          return r;
  
+                if (rdlength < 2)
+                        return -EBADMSG;
+
                  r = dns_packet_read_memdup(p, rdlength - 2,
                                             &rr->sshfp.fingerprint, &rr->sshfp.fingerprint_size,
                                             NULL);
@@ -1883,6 +1889,9 @@ int dns_packet_read_rr(DnsPacket *p, DnsResourceRecord **ret, bool *ret_cache_fl
                  if (r < 0)
                          return r;
  
+                if (rdlength < 4)
+                        return -EBADMSG;
+
                  r = dns_packet_read_memdup(p, rdlength - 4,
                                             &rr->dnskey.key, &rr->dnskey.key_size,
                                             NULL);
@@ -1927,6 +1936,9 @@ int dns_packet_read_rr(DnsPacket *p, DnsResourceRecord **ret, bool *ret_cache_fl
                  if (r < 0)
                          return r;
  
+                if (rdlength + offset < p->rindex)
+                        return -EBADMSG;
+
                  r = dns_packet_read_memdup(p, offset + rdlength - p->rindex,
                                             &rr->rrsig.signature, &rr->rrsig.signature_size,
                                             NULL);
@@ -2016,6 +2028,9 @@ int dns_packet_read_rr(DnsPacket *p, DnsResourceRecord **ret, bool *ret_cache_fl
                  if (r < 0)
                          return r;
  
+                if (rdlength < 3)
+                        return -EBADMSG;
+
                  r = dns_packet_read_memdup(p, rdlength - 3,
                                             &rr->tlsa.data, &rr->tlsa.data_size,
                                             NULL);
@@ -2036,6 +2051,9 @@ int dns_packet_read_rr(DnsPacket *p, DnsResourceRecord **ret, bool *ret_cache_fl
                  if (r < 0)
                          return r;
  
+                if (rdlength + offset < p->rindex)
+                        return -EBADMSG;
+
                  r = dns_packet_read_memdup(p,
                                             rdlength + offset - p->rindex,
                                             &rr->caa.value, &rr->caa.value_size, NULL);
author	Shawn Landden <slandden@gmail.com>
	Wed, 17 Jan 2018 13:49:22 +0000 (05:49 -0800)
committer	Zbigniew Jędrzejewski-Szmek <zbyszek@in.waw.pl>
	Wed, 17 Jan 2018 13:49:22 +0000 (00:49 +1100)