From 62cb936cb7ad5f219715515ae7d32dd281a5aa1f Mon Sep 17 00:00:00 2001

From: Simon Kelley <simon@thekelleys.org.uk>

Date: Tue, 26 Sep 2017 22:00:11 +0100

Subject: Security fix, CVE-2017-14491, DNS heap buffer overflow.

Further fix to 0549c73b7ea6b22a3c49beb4d432f185a81efcbc

Handles case when RR name is not a pointer to the question,

only occurs for some auth-mode replies, therefore not

detected by fuzzing (?)

---

 src/rfc1035.c | 27 +++++++++++++++------------

 1 file changed, 15 insertions(+), 12 deletions(-)

diff --git a/src/rfc1035.c b/src/rfc1035.c

index 27af023..56ab88b 100644

--- a/src/rfc1035.c

+++ b/src/rfc1035.c

@@ -1086,32 +1086,35 @@ int add_resource_record(struct dns_header *header, char *limit, int *truncp, int

   va_start(ap, format);   /* make ap point to 1st unamed argument */

-  /* nameoffset (1 or 2) + type (2) + class (2) + ttl (4) + 0 (2) */

-  CHECK_LIMIT(12);

-

   if (nameoffset > 0)

     {

+      CHECK_LIMIT(2);

       PUTSHORT(nameoffset | 0xc000, p);

     }

   else

     {

       char *name = va_arg(ap, char *);

-      if (name)

-	p = do_rfc1035_name(p, name, limit);

-        if (!p)

-          {

-            va_end(ap);

-            goto truncated;

-          }

-

+      if (name && !(p = do_rfc1035_name(p, name, limit)))

+	{

+	  va_end(ap);

+	  goto truncated;

+	}

+      

       if (nameoffset < 0)

 	{

+	  CHECK_LIMIT(2);

 	  PUTSHORT(-nameoffset | 0xc000, p);

 	}

       else

-	*p++ = 0;

+	{

+	  CHECK_LIMIT(1);

+	  *p++ = 0;

+	}

     }

+  /* type (2) + class (2) + ttl (4) + rdlen (2) */

+  CHECK_LIMIT(10);

+  

   PUTSHORT(type, p);

   PUTSHORT(class, p);

   PUTLONG(ttl, p);      /* TTL */

-- 

2.7.4