From: Kevin Darbyshire-Bryant Date: Sun, 12 Apr 2020 16:53:05 +0000 (+0100) Subject: dns.c: improve input validation X-Git-Url: http://git.lede-project.org./?a=commitdiff_plain;h=e74a3f9883199e9db7220d52b78e5fbdb4441ca3;p=project%2Fmdnsd.git dns.c: improve input validation dns.c scan_name() add more input validation parse_answer() add remaining length check dns_handle_packet() add remaining length check Addresses CVE-2020-11750 Thanks to Guido Vranken for the report who requested credit be given to 'ForAllSecure Mayhem'. Signed-off-by: Kevin Darbyshire-Bryant --- diff --git a/dns.c b/dns.c index 86e5ea3..c64f3b1 100644 --- a/dns.c +++ b/dns.c @@ -222,6 +222,7 @@ scan_name(const uint8_t *buffer, int len) if (IS_COMPRESSED(l)) return offset + 2; + if (l + 1 > len) return -1; len -= l + 1; offset += l + 1; buffer += l + 1; @@ -317,7 +318,7 @@ static int parse_answer(struct interface *iface, struct sockaddr *from, struct dns_answer *a; uint8_t *rdata; - if (!name) { + if (!name || rlen < 0) { fprintf(stderr, "dropping: bad question\n"); return -1; } @@ -421,7 +422,7 @@ dns_handle_packet(struct interface *iface, struct sockaddr *from, uint16_t port, char *name = dns_consume_name(buffer, len, &b, &rlen); struct dns_question *q; - if (!name) { + if (!name || rlen < 0) { fprintf(stderr, "dropping: bad name\n"); return; }