From 613ece5c47f10c7fd6e9c0cd7b387210ab9e1fb6 Mon Sep 17 00:00:00 2001
From: Victor Seva <linuxmaniac@torreviejawireless.org>
Date: Wed, 1 Feb 2017 12:53:28 +0100
Subject: [PATCH] core: avoid overrun-buffer-arg

> Overrunning array ((struct a_rdata *)rr->rdata)->ip of 4 bytes
> by passing it to a function which accesses it at byte offset 15
> using argument len (which evaluates to 16)
---
 src/core/dns_cache.c | 11 ++++++++++-
 1 file changed, 10 insertions(+), 1 deletion(-)

diff --git a/src/core/dns_cache.c b/src/core/dns_cache.c
index 21b780ee0f8..c4b910d265f 100644
--- a/src/core/dns_cache.c
+++ b/src/core/dns_cache.c
@@ -2362,6 +2362,7 @@ inline static struct hostent* dns_entry2he(struct dns_hash_entry* e)
 	int af, len;
 	struct dns_rr* rr;
 	unsigned char rr_no;
+	unsigned char *ip;
 	ticks_t now;
 	int i;
 
@@ -2389,7 +2390,15 @@ inline static struct hostent* dns_entry2he(struct dns_hash_entry* e)
 	for(i=0; rr && (i<DNS_HE_MAX_ADDR); i++,
 							rr=dns_entry_get_rr(e, &rr_no, now)){
 				p_addr[i]=&address[i*len];
-				memcpy(p_addr[i], ((struct a_rdata*)rr->rdata)->ip, len);
+				switch(e->type){
+					case T_A:
+						ip = ((struct a_rdata*)rr->rdata)->ip;
+						break;
+					case T_AAAA:
+						ip = ((struct aaaa_rdata*)rr->rdata)->ip6;
+						break;
+				}
+				memcpy(p_addr[i], ip, len);
 	}
 	if (i==0){
 		LM_DBG("no good records found (%d) for %.*s (%d)\n",