From: Shawn Landden Date: Wed, 17 Jan 2018 13:49:22 +0000 (-0800) Subject: resolve: check for underflow of size parameter (#7889) X-Git-Tag: v237~88 X-Git-Url: http://review.tizen.org/git/?a=commitdiff_plain;h=8a0f6d1f6b8086e342e56aad55d536b42c01e08d;p=platform%2Fupstream%2Fsystemd.git resolve: check for underflow of size parameter (#7889) to dns_packet_read_memdup() Closes #7888 --- diff --git a/src/resolve/resolved-dns-packet.c b/src/resolve/resolved-dns-packet.c index d7a839a..70260b3 100644 --- a/src/resolve/resolved-dns-packet.c +++ b/src/resolve/resolved-dns-packet.c @@ -1837,6 +1837,9 @@ int dns_packet_read_rr(DnsPacket *p, DnsResourceRecord **ret, bool *ret_cache_fl if (r < 0) return r; + if (rdlength < 4) + return -EBADMSG; + r = dns_packet_read_memdup(p, rdlength - 4, &rr->ds.digest, &rr->ds.digest_size, NULL); @@ -1859,6 +1862,9 @@ int dns_packet_read_rr(DnsPacket *p, DnsResourceRecord **ret, bool *ret_cache_fl if (r < 0) return r; + if (rdlength < 2) + return -EBADMSG; + r = dns_packet_read_memdup(p, rdlength - 2, &rr->sshfp.fingerprint, &rr->sshfp.fingerprint_size, NULL); @@ -1883,6 +1889,9 @@ int dns_packet_read_rr(DnsPacket *p, DnsResourceRecord **ret, bool *ret_cache_fl if (r < 0) return r; + if (rdlength < 4) + return -EBADMSG; + r = dns_packet_read_memdup(p, rdlength - 4, &rr->dnskey.key, &rr->dnskey.key_size, NULL); @@ -1927,6 +1936,9 @@ int dns_packet_read_rr(DnsPacket *p, DnsResourceRecord **ret, bool *ret_cache_fl if (r < 0) return r; + if (rdlength + offset < p->rindex) + return -EBADMSG; + r = dns_packet_read_memdup(p, offset + rdlength - p->rindex, &rr->rrsig.signature, &rr->rrsig.signature_size, NULL); @@ -2016,6 +2028,9 @@ int dns_packet_read_rr(DnsPacket *p, DnsResourceRecord **ret, bool *ret_cache_fl if (r < 0) return r; + if (rdlength < 3) + return -EBADMSG; + r = dns_packet_read_memdup(p, rdlength - 3, &rr->tlsa.data, &rr->tlsa.data_size, NULL); @@ -2036,6 +2051,9 @@ int dns_packet_read_rr(DnsPacket *p, DnsResourceRecord **ret, bool *ret_cache_fl if (r < 0) return r; + if (rdlength + offset < p->rindex) + return -EBADMSG; + r = dns_packet_read_memdup(p, rdlength + offset - p->rindex, &rr->caa.value, &rr->caa.value_size, NULL);