dns-domain: make each label nul-terminated

dns_label_unescape() does not nul-terminate the buffer if it does not
have enough space. Hence, if a lable is enough long, then strjoin()
triggers buffer-overflow.

Fixes #23705.

diff --git a/src/shared/dns-domain.c b/src/shared/dns-domain.c
index 9acf1cb0d693ef9b83e7090daff6fa04331d43d8..97839e7d73a7cec8b0453da5007111d671a068aa 100644 (file)
--- a/src/shared/dns-domain.c
+++ b/src/shared/dns-domain.c
@@ -1025,7 +1025,7 @@ static bool dns_service_name_label_is_valid(const char *label, size_t n) {
 int dns_service_split(const char *joined, char **_name, char **_type, char **_domain) {
         _cleanup_free_ char *name = NULL, *type = NULL, *domain = NULL;
         const char *p = joined, *q = NULL, *d = NULL;
-        char a[DNS_LABEL_MAX], b[DNS_LABEL_MAX], c[DNS_LABEL_MAX];
+        char a[DNS_LABEL_MAX+1], b[DNS_LABEL_MAX+1], c[DNS_LABEL_MAX+1];
         int an, bn, cn, r;
         unsigned x = 0;
 

diff --git a/src/test/test-dns-domain.c b/src/test/test-dns-domain.c
index 3a26ecaa70efd4ee396a7c052a5e1f57f6ed1a7c..0fbac9dbd9dbf0b8a76110cc029a5c1ab9df828a 100644 (file)
--- a/src/test/test-dns-domain.c
+++ b/src/test/test-dns-domain.c
@@ -540,6 +540,7 @@ TEST(dns_service_split) {
         test_dns_service_split_one("_foo._bar", NULL, "_foo._bar", ".", 0);
         test_dns_service_split_one("_meh._foo._bar", "_meh", "_foo._bar", ".", 0);
         test_dns_service_split_one("Wuff\\032Wuff._foo._bar.waldo.com", "Wuff Wuff", "_foo._bar", "waldo.com", 0);
+        test_dns_service_split_one("_Q._Q-------------------------------------------------------------", NULL, "_Q._Q-------------------------------------------------------------", ".", 0);
 }
 
 static void test_dns_name_change_suffix_one(const char *name, const char *old_suffix, const char *new_suffix, int r, const char *result) {