Skip to content

Commit d1c5e4d

Browse files
authored
Merge pull request from GHSA-q9cp-8wcq-7pfr
* Prevent heap buffer overflow when parsing DNS packet * Fixed incorrect check in get_name*()
1 parent 5e2d564 commit d1c5e4d

File tree

1 file changed

+12
-0
lines changed
  • pjlib-util/src/pjlib-util

1 file changed

+12
-0
lines changed

Diff for: pjlib-util/src/pjlib-util/dns.c

+12
Original file line numberDiff line numberDiff line change
@@ -127,6 +127,9 @@ static pj_status_t get_name_len(int rec_counter, const pj_uint8_t *pkt,
127127
return PJLIB_UTIL_EDNSINNAMEPTR;
128128
}
129129

130+
if (start >= max)
131+
return PJLIB_UTIL_EDNSINNAMEPTR;
132+
130133
*name_len = *parsed_len = 0;
131134
p = start;
132135
while (*p) {
@@ -199,6 +202,9 @@ static pj_status_t get_name(int rec_counter, const pj_uint8_t *pkt,
199202
return PJLIB_UTIL_EDNSINNAMEPTR;
200203
}
201204

205+
if (start >= max)
206+
return PJLIB_UTIL_EDNSINNAMEPTR;
207+
202208
p = start;
203209
while (*p) {
204210
if ((*p & 0xc0) == 0xc0) {
@@ -359,10 +365,14 @@ static pj_status_t parse_rr(pj_dns_parsed_rr *rr, pj_pool_t *pool,
359365

360366
/* Parse some well known records */
361367
if (rr->type == PJ_DNS_TYPE_A) {
368+
if (p + 4 > max)
369+
return PJLIB_UTIL_EDNSINSIZE;
362370
pj_memcpy(&rr->rdata.a.ip_addr, p, 4);
363371
p += 4;
364372

365373
} else if (rr->type == PJ_DNS_TYPE_AAAA) {
374+
if (p + 16 > max)
375+
return PJLIB_UTIL_EDNSINSIZE;
366376
pj_memcpy(&rr->rdata.aaaa.ip_addr, p, 16);
367377
p += 16;
368378

@@ -388,6 +398,8 @@ static pj_status_t parse_rr(pj_dns_parsed_rr *rr, pj_pool_t *pool,
388398
p += name_part_len;
389399

390400
} else if (rr->type == PJ_DNS_TYPE_SRV) {
401+
if (p + 6 > max)
402+
return PJLIB_UTIL_EDNSINSIZE;
391403

392404
/* Priority */
393405
pj_memcpy(&rr->rdata.srv.prio, p, 2);

0 commit comments

Comments
 (0)