From 8a0f6d1f6b8086e342e56aad55d536b42c01e08d Mon Sep 17 00:00:00 2001
From: Shawn Landden <slandden@gmail.com>
Date: Wed, 17 Jan 2018 05:49:22 -0800
Subject: [PATCH] resolve: check for underflow of size parameter (#7889)

to dns_packet_read_memdup()

Closes #7888
---
 src/resolve/resolved-dns-packet.c | 18 ++++++++++++++++++
 1 file changed, 18 insertions(+)

diff --git a/src/resolve/resolved-dns-packet.c b/src/resolve/resolved-dns-packet.c
index d7a839a..70260b3 100644
--- a/src/resolve/resolved-dns-packet.c
+++ b/src/resolve/resolved-dns-packet.c
@@ -1837,6 +1837,9 @@ int dns_packet_read_rr(DnsPacket *p, DnsResourceRecord **ret, bool *ret_cache_fl
                 if (r < 0)
                         return r;
 
+                if (rdlength < 4)
+                        return -EBADMSG;
+
                 r = dns_packet_read_memdup(p, rdlength - 4,
                                            &rr->ds.digest, &rr->ds.digest_size,
                                            NULL);
@@ -1859,6 +1862,9 @@ int dns_packet_read_rr(DnsPacket *p, DnsResourceRecord **ret, bool *ret_cache_fl
                 if (r < 0)
                         return r;
 
+                if (rdlength < 2)
+                        return -EBADMSG;
+
                 r = dns_packet_read_memdup(p, rdlength - 2,
                                            &rr->sshfp.fingerprint, &rr->sshfp.fingerprint_size,
                                            NULL);
@@ -1883,6 +1889,9 @@ int dns_packet_read_rr(DnsPacket *p, DnsResourceRecord **ret, bool *ret_cache_fl
                 if (r < 0)
                         return r;
 
+                if (rdlength < 4)
+                        return -EBADMSG;
+
                 r = dns_packet_read_memdup(p, rdlength - 4,
                                            &rr->dnskey.key, &rr->dnskey.key_size,
                                            NULL);
@@ -1927,6 +1936,9 @@ int dns_packet_read_rr(DnsPacket *p, DnsResourceRecord **ret, bool *ret_cache_fl
                 if (r < 0)
                         return r;
 
+                if (rdlength + offset < p->rindex)
+                        return -EBADMSG;
+
                 r = dns_packet_read_memdup(p, offset + rdlength - p->rindex,
                                            &rr->rrsig.signature, &rr->rrsig.signature_size,
                                            NULL);
@@ -2016,6 +2028,9 @@ int dns_packet_read_rr(DnsPacket *p, DnsResourceRecord **ret, bool *ret_cache_fl
                 if (r < 0)
                         return r;
 
+                if (rdlength < 3)
+                        return -EBADMSG;
+
                 r = dns_packet_read_memdup(p, rdlength - 3,
                                            &rr->tlsa.data, &rr->tlsa.data_size,
                                            NULL);
@@ -2036,6 +2051,9 @@ int dns_packet_read_rr(DnsPacket *p, DnsResourceRecord **ret, bool *ret_cache_fl
                 if (r < 0)
                         return r;
 
+                if (rdlength + offset < p->rindex)
+                        return -EBADMSG;
+
                 r = dns_packet_read_memdup(p,
                                            rdlength + offset - p->rindex,
                                            &rr->caa.value, &rr->caa.value_size, NULL);
-- 
2.7.4