From 15dfe22be278cb1f0194de0b0ab790ba9dc4fc33 Mon Sep 17 00:00:00 2001 From: Zuzana Svetlikova Date: Fri, 23 Jun 2017 23:11:28 +0200 Subject: [PATCH] c-ares NAPTR parser out of bounds access CVE: CVE-2017-1000381 Upstream bug: https://c-ares.haxx.se/adv_20170620.html --- deps/cares/src/ares_parse_naptr_reply.c | 7 ++++++- 1 file changed, 6 insertions(+), 1 deletion(-) diff --git a/deps/cares/src/ares_parse_naptr_reply.c b/deps/cares/src/ares_parse_naptr_reply.c index 11634df984..717d355778 100644 --- a/deps/cares/src/ares_parse_naptr_reply.c +++ b/deps/cares/src/ares_parse_naptr_reply.c @@ -110,6 +110,12 @@ ares_parse_naptr_reply (const unsigned char *abuf, int alen, status = ARES_EBADRESP; break; } + /* RR must contain at least 7 bytes = 2 x int16 + 3 x name */ + if (rr_len < 7) + { + status = ARES_EBADRESP; + break; + } /* Check if we are really looking at a NAPTR record */ if (rr_class == C_IN && rr_type == T_NAPTR) @@ -185,4 +191,3 @@ ares_parse_naptr_reply (const unsigned char *abuf, int alen, return ARES_SUCCESS; } - -- 2.13.1