Skip to content
Permalink
Browse files Browse the repository at this point in the history
Merge pull request from GHSA-p6g5-v97c-w5q4
* Prevent heap buffer overflow when parsing DNS packets

* Make sure packet parsing doesn't advance beyond max/end

* Update checks

* Remove  check

Co-authored-by: sauwming <ming@teluu.com>
  • Loading branch information
trengginas and sauwming committed Apr 6, 2022
1 parent 11559e4 commit 9fae8f4
Showing 1 changed file with 18 additions and 10 deletions.
28 changes: 18 additions & 10 deletions pjlib-util/src/pjlib-util/dns.c
Expand Up @@ -159,8 +159,13 @@ static pj_status_t get_name_len(int rec_counter, const pj_uint8_t *pkt,
} else {
unsigned label_len = *p;

/* Check that label length is valid */
if (pkt+label_len > max)
/* Check that label length is valid.
* Each label consists of an octet length (of size 1) followed
* by the octet of the specified length (label_len). Then it
* must be followed by either another label's octet length or
* a zero length octet (that terminates the sequence).
*/
if (p+1+label_len+1 > max)
return PJLIB_UTIL_EDNSINNAMEPTR;

p += (label_len + 1);
Expand All @@ -170,9 +175,6 @@ static pj_status_t get_name_len(int rec_counter, const pj_uint8_t *pkt,
++label_len;

*name_len += label_len;

if (p >= max)
return PJLIB_UTIL_EDNSINSIZE;
}
}
++p;
Expand Down Expand Up @@ -222,8 +224,13 @@ static pj_status_t get_name(int rec_counter, const pj_uint8_t *pkt,
} else {
unsigned label_len = *p;

/* Check that label length is valid */
if (pkt+label_len > max)
/* Check that label length is valid.
* Each label consists of an octet length (of size 1) followed
* by the octet of the specified length (label_len). Then it
* must be followed by either another label's octet length or
* a zero length octet (that terminates the sequence).
*/
if (p+1+label_len+1 > max)
return PJLIB_UTIL_EDNSINNAMEPTR;

pj_memcpy(name->ptr + name->slen, p+1, label_len);
Expand All @@ -234,9 +241,6 @@ static pj_status_t get_name(int rec_counter, const pj_uint8_t *pkt,
*(name->ptr + name->slen) = '.';
++name->slen;
}

if (p >= max)
return PJLIB_UTIL_EDNSINSIZE;
}
}

Expand Down Expand Up @@ -269,6 +273,10 @@ static pj_status_t parse_query(pj_dns_parsed_query *q, pj_pool_t *pool,

p = (start + name_part_len);

/* Check the size can accomodate next few fields. */
if (p + 4 > max)
return PJLIB_UTIL_EDNSINSIZE;

/* Get the type */
pj_memcpy(&q->type, p, 2);
q->type = pj_ntohs(q->type);
Expand Down

0 comments on commit 9fae8f4

Please sign in to comment.