Skip to content

Commit 9fae8f4

Browse files
trengginassauwming
andauthored
Merge pull request from GHSA-p6g5-v97c-w5q4
* Prevent heap buffer overflow when parsing DNS packets * Make sure packet parsing doesn't advance beyond max/end * Update checks * Remove check Co-authored-by: sauwming <ming@teluu.com>
1 parent 11559e4 commit 9fae8f4

File tree

1 file changed

+18
-10
lines changed
  • pjlib-util/src/pjlib-util

1 file changed

+18
-10
lines changed

Diff for: pjlib-util/src/pjlib-util/dns.c

+18-10
Original file line numberDiff line numberDiff line change
@@ -159,8 +159,13 @@ static pj_status_t get_name_len(int rec_counter, const pj_uint8_t *pkt,
159159
} else {
160160
unsigned label_len = *p;
161161

162-
/* Check that label length is valid */
163-
if (pkt+label_len > max)
162+
/* Check that label length is valid.
163+
* Each label consists of an octet length (of size 1) followed
164+
* by the octet of the specified length (label_len). Then it
165+
* must be followed by either another label's octet length or
166+
* a zero length octet (that terminates the sequence).
167+
*/
168+
if (p+1+label_len+1 > max)
164169
return PJLIB_UTIL_EDNSINNAMEPTR;
165170

166171
p += (label_len + 1);
@@ -170,9 +175,6 @@ static pj_status_t get_name_len(int rec_counter, const pj_uint8_t *pkt,
170175
++label_len;
171176

172177
*name_len += label_len;
173-
174-
if (p >= max)
175-
return PJLIB_UTIL_EDNSINSIZE;
176178
}
177179
}
178180
++p;
@@ -222,8 +224,13 @@ static pj_status_t get_name(int rec_counter, const pj_uint8_t *pkt,
222224
} else {
223225
unsigned label_len = *p;
224226

225-
/* Check that label length is valid */
226-
if (pkt+label_len > max)
227+
/* Check that label length is valid.
228+
* Each label consists of an octet length (of size 1) followed
229+
* by the octet of the specified length (label_len). Then it
230+
* must be followed by either another label's octet length or
231+
* a zero length octet (that terminates the sequence).
232+
*/
233+
if (p+1+label_len+1 > max)
227234
return PJLIB_UTIL_EDNSINNAMEPTR;
228235

229236
pj_memcpy(name->ptr + name->slen, p+1, label_len);
@@ -234,9 +241,6 @@ static pj_status_t get_name(int rec_counter, const pj_uint8_t *pkt,
234241
*(name->ptr + name->slen) = '.';
235242
++name->slen;
236243
}
237-
238-
if (p >= max)
239-
return PJLIB_UTIL_EDNSINSIZE;
240244
}
241245
}
242246

@@ -269,6 +273,10 @@ static pj_status_t parse_query(pj_dns_parsed_query *q, pj_pool_t *pool,
269273

270274
p = (start + name_part_len);
271275

276+
/* Check the size can accomodate next few fields. */
277+
if (p + 4 > max)
278+
return PJLIB_UTIL_EDNSINSIZE;
279+
272280
/* Get the type */
273281
pj_memcpy(&q->type, p, 2);
274282
q->type = pj_ntohs(q->type);

0 commit comments

Comments
 (0)