|
 |
b46d76 |
From 62cb936cb7ad5f219715515ae7d32dd281a5aa1f Mon Sep 17 00:00:00 2001
|
|
|
b46d76 |
From: Simon Kelley <simon@thekelleys.org.uk>
|
|
|
b46d76 |
Date: Tue, 26 Sep 2017 22:00:11 +0100
|
|
|
b46d76 |
Subject: Security fix, CVE-2017-14491, DNS heap buffer overflow.
|
|
|
b46d76 |
|
|
|
b46d76 |
Further fix to 0549c73b7ea6b22a3c49beb4d432f185a81efcbc
|
|
|
b46d76 |
Handles case when RR name is not a pointer to the question,
|
|
|
b46d76 |
only occurs for some auth-mode replies, therefore not
|
|
|
b46d76 |
detected by fuzzing (?)
|
|
|
b46d76 |
---
|
|
|
b46d76 |
src/rfc1035.c | 27 +++++++++++++++------------
|
|
|
b46d76 |
1 file changed, 15 insertions(+), 12 deletions(-)
|
|
|
b46d76 |
|
|
|
b46d76 |
diff --git a/src/rfc1035.c b/src/rfc1035.c
|
|
|
b46d76 |
index 27af023..56ab88b 100644
|
|
|
b46d76 |
--- a/src/rfc1035.c
|
|
|
b46d76 |
+++ b/src/rfc1035.c
|
|
|
b46d76 |
@@ -1086,32 +1086,35 @@ int add_resource_record(struct dns_header *header, char *limit, int *truncp, int
|
|
|
b46d76 |
|
|
|
b46d76 |
va_start(ap, format); /* make ap point to 1st unamed argument */
|
|
|
b46d76 |
|
|
|
b46d76 |
- /* nameoffset (1 or 2) + type (2) + class (2) + ttl (4) + 0 (2) */
|
|
|
b46d76 |
- CHECK_LIMIT(12);
|
|
|
b46d76 |
-
|
|
|
b46d76 |
if (nameoffset > 0)
|
|
|
b46d76 |
{
|
|
|
b46d76 |
+ CHECK_LIMIT(2);
|
|
|
b46d76 |
PUTSHORT(nameoffset | 0xc000, p);
|
|
|
b46d76 |
}
|
|
|
b46d76 |
else
|
|
|
b46d76 |
{
|
|
|
b46d76 |
char *name = va_arg(ap, char *);
|
|
|
b46d76 |
- if (name)
|
|
|
b46d76 |
- p = do_rfc1035_name(p, name, limit);
|
|
|
b46d76 |
- if (!p)
|
|
|
b46d76 |
- {
|
|
|
b46d76 |
- va_end(ap);
|
|
|
b46d76 |
- goto truncated;
|
|
|
b46d76 |
- }
|
|
|
b46d76 |
-
|
|
|
b46d76 |
+ if (name && !(p = do_rfc1035_name(p, name, limit)))
|
|
|
b46d76 |
+ {
|
|
|
b46d76 |
+ va_end(ap);
|
|
|
b46d76 |
+ goto truncated;
|
|
|
b46d76 |
+ }
|
|
|
b46d76 |
+
|
|
|
b46d76 |
if (nameoffset < 0)
|
|
|
b46d76 |
{
|
|
|
b46d76 |
+ CHECK_LIMIT(2);
|
|
|
b46d76 |
PUTSHORT(-nameoffset | 0xc000, p);
|
|
|
b46d76 |
}
|
|
|
b46d76 |
else
|
|
|
b46d76 |
- *p++ = 0;
|
|
|
b46d76 |
+ {
|
|
|
b46d76 |
+ CHECK_LIMIT(1);
|
|
|
b46d76 |
+ *p++ = 0;
|
|
|
b46d76 |
+ }
|
|
|
b46d76 |
}
|
|
|
b46d76 |
|
|
|
b46d76 |
+ /* type (2) + class (2) + ttl (4) + rdlen (2) */
|
|
|
b46d76 |
+ CHECK_LIMIT(10);
|
|
|
b46d76 |
+
|
|
|
b46d76 |
PUTSHORT(type, p);
|
|
|
b46d76 |
PUTSHORT(class, p);
|
|
|
b46d76 |
PUTLONG(ttl, p); /* TTL */
|
|
|
b46d76 |
--
|
|
|
b46d76 |
2.7.4
|
|
|
b46d76 |
|