Improve bounds checking in rfc1035NameUnpack (#1725)

Peter J. Philipp found an input buffer overread (by one byte) when
parsing certain malformed DNS responses. Add the missing check.

Co-authored-by: Peter J. Philipp <pbug44@delphinusdns.org>

diff --git a/src/dns/rfc1035.cc b/src/dns/rfc1035.cc
index 1b0be10abaa5b25f4049a1dc0b5db49372f89509..2fe8ffd0092fa826c65e6639390aaa9169152f6a 100644 (file)
--- a/src/dns/rfc1035.cc
+++ b/src/dns/rfc1035.cc
@@ -265,14 +265,14 @@ rfc1035NameUnpack(const char *buf, size_t sz, unsigned int *off, unsigned short
                 RFC1035_UNPACK_DEBUG;
                 return 1;
             }
-            memcpy(&s, buf + (*off), sizeof(s));
-            s = ntohs(s);
-            (*off) += sizeof(s);
-            /* Sanity check */
-            if ((*off) > sz) {
+            /* before copying compression offset value, ensure it is inside the buffer */
+            if ((*off) + sizeof(s) > sz) {
                 RFC1035_UNPACK_DEBUG;
                 return 1;
             }
+            memcpy(&s, buf + (*off), sizeof(s));
+            s = ntohs(s);
+            (*off) += sizeof(s);
             ptr = s & 0x3FFF;
             /* Make sure the pointer is inside this message */
             if (ptr >= sz) {