From 711443a8e3220b3d4445de59fb0f281f010f17a1 Mon Sep 17 00:00:00 2001 From: Robert Lubos Date: Wed, 19 Nov 2025 10:40:28 +0100 Subject: [PATCH] net: dns: Fix potential buffer overflow when unpacking labels As the loop unpacking the DNS name from records checks the current label length on each iteration, it's also needed to update the remaining buffer length on each iteration, otherwise the buffer length checks doesn't work as expected. Additionally, the remaining buffer checks while technically worked, they were conceptually wrong and unintuitive. The buf->data pointer doesn't move, so comparing against this pointer when adding new labels doesn't make sense. It's more intuitive to simply compare the label size vs the remaining buffer space. Signed-off-by: Robert Lubos (cherry picked from commit 7bd45cd39b49c0613ef831e255d0f09bc75bbfe7) --- subsys/net/lib/dns/dns_pack.c | 6 +++--- 1 file changed, 3 insertions(+), 3 deletions(-) diff --git a/subsys/net/lib/dns/dns_pack.c b/subsys/net/lib/dns/dns_pack.c index 0964ebb4245c6..3e7c27e052375 100644 --- a/subsys/net/lib/dns/dns_pack.c +++ b/subsys/net/lib/dns/dns_pack.c @@ -482,7 +482,6 @@ int mdns_unpack_query_header(struct dns_msg_t *msg, uint16_t *src_id) static int dns_unpack_name(const uint8_t *msg, int maxlen, const uint8_t *src, struct net_buf *buf, const uint8_t **eol) { - int dest_size = net_buf_tailroom(buf); const uint8_t *end_of_label = NULL; const uint8_t *curr_src = src; int loop_check = 0, len = -1; @@ -521,6 +520,8 @@ static int dns_unpack_name(const uint8_t *msg, int maxlen, const uint8_t *src, return -EMSGSIZE; } } else { + size_t dest_size = net_buf_tailroom(buf); + /* Max label length is 64 bytes (because 2 bits are * used for pointer) */ @@ -529,8 +530,7 @@ static int dns_unpack_name(const uint8_t *msg, int maxlen, const uint8_t *src, return -EMSGSIZE; } - if (((buf->data + label_len + 1) >= - (buf->data + dest_size)) || + if ((label_len + 1 >= dest_size) || ((curr_src + label_len) >= (msg + maxlen))) { return -EMSGSIZE; }