protocol parsing: check input data stricter

... so that bad length fields aren't blindly accepted Bug: http://c-ares.haxx.se/mail/c-ares-archive-2013-04/0016.shtml
12 years ago · 148c8e0353
parent 2004a7a111
commit 148c8e0353
9 changed files with 52 additions and 2 deletions
--- a/ares_expand_name.c
+++ b/ares_expand_name.c
@ -143,7 +143,7 @@ static int name_length(const unsigned char *encoded, const unsigned char *abuf,
  int n = 0, offset, indir = 0;

  /* Allow the caller to pass us abuf + alen and have us check for it. */
-  if (encoded == abuf + alen)
+  if (encoded >= abuf + alen)
    return -1;

  while (*encoded)
--- a/ares_parse_a_reply.c
+++ b/ares_parse_a_reply.c
@ -136,6 +136,12 @@ int ares_parse_a_reply(const unsigned char *abuf, int alen,
      rr_len = DNS_RR_LEN(aptr);
      rr_ttl = DNS_RR_TTL(aptr);
      aptr += RRFIXEDSZ;
+      if (aptr + rr_len > abuf + alen)
+        {
+          free(rr_name);
+          status = ARES_EBADRESP;
+          break;
+        }

      if (rr_class == C_IN && rr_type == T_A
          && rr_len == sizeof(struct in_addr)
--- a/ares_parse_aaaa_reply.c
+++ b/ares_parse_aaaa_reply.c
@ -136,6 +136,12 @@ int ares_parse_aaaa_reply(const unsigned char *abuf, int alen,
      rr_len = DNS_RR_LEN(aptr);
      rr_ttl = DNS_RR_TTL(aptr);
      aptr += RRFIXEDSZ;
+      if (aptr + rr_len > abuf + alen)
+        {
+          free(rr_name);
+          status = ARES_EBADRESP;
+          break;
+        }

      if (rr_class == C_IN && rr_type == T_AAAA
          && rr_len == sizeof(struct ares_in6_addr)
--- a/ares_parse_mx_reply.c
+++ b/ares_parse_mx_reply.c
@ -100,6 +100,11 @@ ares_parse_mx_reply (const unsigned char *abuf, int alen,
      rr_class = DNS_RR_CLASS (aptr);
      rr_len = DNS_RR_LEN (aptr);
      aptr += RRFIXEDSZ;
+      if (aptr + rr_len > abuf + alen)
+        {
+          status = ARES_EBADRESP;
+          break;
+        }

      /* Check if we are really looking at a MX record */
      if (rr_class == C_IN && rr_type == T_MX)
--- a/ares_parse_naptr_reply.c
+++ b/ares_parse_naptr_reply.c
@ -105,6 +105,11 @@ ares_parse_naptr_reply (const unsigned char *abuf, int alen,
      rr_class = DNS_RR_CLASS (aptr);
      rr_len = DNS_RR_LEN (aptr);
      aptr += RRFIXEDSZ;
+      if (aptr + rr_len > abuf + alen)
+        {
+          status = ARES_EBADRESP;
+          break;
+        }

      /* Check if we are really looking at a NAPTR record */
      if (rr_class == C_IN && rr_type == T_NAPTR)
--- a/ares_parse_ns_reply.c
+++ b/ares_parse_ns_reply.c
@ -105,6 +105,12 @@ int ares_parse_ns_reply( const unsigned char* abuf, int alen,
    rr_class = DNS_RR_CLASS( aptr );
    rr_len = DNS_RR_LEN( aptr );
    aptr += RRFIXEDSZ;
+    if (aptr + rr_len > abuf + alen)
+      {
+        free(rr_name);
+        status = ARES_EBADRESP;
+        break;
+      }

    if ( rr_class == C_IN && rr_type == T_NS )
    {
--- a/ares_parse_ptr_reply.c
+++ b/ares_parse_ptr_reply.c
@ -103,6 +103,12 @@ int ares_parse_ptr_reply(const unsigned char *abuf, int alen, const void *addr,
      rr_class = DNS_RR_CLASS(aptr);
      rr_len = DNS_RR_LEN(aptr);
      aptr += RRFIXEDSZ;
+      if (aptr + rr_len > abuf + alen)
+        {
+          free(rr_name);
+          status = ARES_EBADRESP;
+          break;
+        }

      if (rr_class == C_IN && rr_type == T_PTR
          && strcasecmp(rr_name, ptrname) == 0)
@ -203,7 +209,7 @@ int ares_parse_ptr_reply(const unsigned char *abuf, int alen, const void *addr,
      status = ARES_ENOMEM;
    }
  for (i=0 ; i<aliascnt ; i++)
-    if (aliases[i]) 
+    if (aliases[i])
      free(aliases[i]);
  free(aliases);
  if (hostname)
--- a/ares_parse_srv_reply.c
+++ b/ares_parse_srv_reply.c
@ -105,6 +105,11 @@ ares_parse_srv_reply (const unsigned char *abuf, int alen,
      rr_class = DNS_RR_CLASS (aptr);
      rr_len = DNS_RR_LEN (aptr);
      aptr += RRFIXEDSZ;
+      if (aptr + rr_len > abuf + alen)
+        {
+          status = ARES_EBADRESP;
+          break;
+        }

      /* Check if we are really looking at a SRV record */
      if (rr_class == C_IN && rr_type == T_SRV)
--- a/ares_parse_txt_reply.c
+++ b/ares_parse_txt_reply.c
@ -106,6 +106,11 @@ ares_parse_txt_reply (const unsigned char *abuf, int alen,
      rr_class = DNS_RR_CLASS (aptr);
      rr_len = DNS_RR_LEN (aptr);
      aptr += RRFIXEDSZ;
+      if (aptr + rr_len > abuf + alen)
+        {
+          status = ARES_EBADRESP;
+          break;
+        }

      /* Check if we are really looking at a TXT record */
      if (rr_class == C_IN && rr_type == T_TXT)
@ -144,6 +149,12 @@ ares_parse_txt_reply (const unsigned char *abuf, int alen,
              strptr += substr_len + 1;
            }

+          if (strptr != (aptr + rr_len))
+            {
+              status = ARES_EBADRESP;
+              break;
+            }
+
          /* Including null byte */
          txt_curr->txt = malloc (txt_curr->length + 1);
          if (txt_curr->txt == NULL)