dns.c: improve input validation

dns.c scan_name() add more input validation parse_answer() add remaining length check dns_handle_packet() add remaining length check Addresses CVE-2020-11750 Thanks to Guido Vranken <guido@guidovranken.com> for the report who requested credit be given to 'ForAllSecure Mayhem'. Signed-off-by: Kevin Darbyshire-Bryant <ldir@darbyshire-bryant.me.uk>
author: Kevin Darbyshire-Bryant 2020-04-12 16:53:05 +0000
committer: Kevin Darbyshire-Bryant 2020-04-19 20:49:08 +0000
commit: e74a3f9883199e9db7220d52b78e5fbdb4441ca3 (patch)
tree: 1310341d1f62aaa73e3f27642e5e6195c38e302c
parent: ab7a39a5b5a0ff74601dd4e82145ca554c1e2ac6 (diff)
download: mdnsd-e74a3f9883199e9db7220d52b78e5fbdb4441ca3.tar.gz
1 files changed, 3 insertions, 2 deletions
diff --git a/dns.c b/dns.c
index 86e5ea3..c64f3b1 100644
--- a/dns.c
+++ b/dns.c
@@ -222,6 +222,7 @@ scan_name(const uint8_t *buffer, int len)
 		if (IS_COMPRESSED(l))
 			return offset + 2;
 
+		if (l + 1 > len) return -1;
 		len -= l + 1;
 		offset += l + 1;
 		buffer += l + 1;
@@ -317,7 +318,7 @@ static int parse_answer(struct interface *iface, struct sockaddr *from,
 	struct dns_answer *a;
 	uint8_t *rdata;
 
-	if (!name) {
+	if (!name || rlen < 0) {
 		fprintf(stderr, "dropping: bad question\n");
 		return -1;
 	}
@@ -421,7 +422,7 @@ dns_handle_packet(struct interface *iface, struct sockaddr *from, uint16_t port,
 		char *name = dns_consume_name(buffer, len, &b, &rlen);
 		struct dns_question *q;
 
-		if (!name) {
+		if (!name || rlen < 0) {
 			fprintf(stderr, "dropping: bad name\n");
 			return;
 		}
author	Kevin Darbyshire-Bryant	2020-04-12 16:53:05 +0000
committer	Kevin Darbyshire-Bryant	2020-04-19 20:49:08 +0000
commit	e74a3f9883199e9db7220d52b78e5fbdb4441ca3 (patch)
tree	1310341d1f62aaa73e3f27642e5e6195c38e302c
parent	ab7a39a5b5a0ff74601dd4e82145ca554c1e2ac6 (diff)
download	mdnsd-e74a3f9883199e9db7220d52b78e5fbdb4441ca3.tar.gz