Permalink
Browse files

ares_parse_naptr_reply: make buffer length check more accurate

9478908 introduced a length check
for records parsed by `ares_parse_naptr_reply()`. However, that
function is designed to parse replies which also contain non-NAPTR
records; for A records, the `rr_len > 7` check will fail as there
are only 4 bytes of payload.
In particular, parsing ANY replies for NAPTR records was broken
by that patch.

Fix that by moving the check into the case in which it is already
known that the record is a NAPTR record.
  • Loading branch information...
addaleax authored and daviddrysdale committed Jul 15, 2017
1 parent df9af31 commit 18ea99693d63f957ecb670045adbd2c1da8a4641
Showing with 7 additions and 6 deletions.
  1. +7 −6 ares_parse_naptr_reply.c
@@ -110,18 +110,19 @@ ares_parse_naptr_reply (const unsigned char *abuf, int alen,
status = ARES_EBADRESP;
break;
}
/* RR must contain at least 7 bytes = 2 x int16 + 3 x name */
if (rr_len < 7)
{
status = ARES_EBADRESP;
break;
}
/* Check if we are really looking at a NAPTR record */
if (rr_class == C_IN && rr_type == T_NAPTR)
{
/* parse the NAPTR record itself */
/* RR must contain at least 7 bytes = 2 x int16 + 3 x name */
if (rr_len < 7)
{
status = ARES_EBADRESP;
break;
}
/* Allocate storage for this NAPTR answer appending it to the list */
naptr_curr = ares_malloc_data(ARES_DATATYPE_NAPTR_REPLY);
if (!naptr_curr)

0 comments on commit 18ea996

Please sign in to comment.