Peter J. Philipp found an input buffer overread (by one byte) when
parsing certain malformed DNS responses. Add the missing check.
Co-authored-by: Peter J. Philipp <pbug44@delphinusdns.org>
RFC1035_UNPACK_DEBUG;
return 1;
}
RFC1035_UNPACK_DEBUG;
return 1;
}
- memcpy(&s, buf + (*off), sizeof(s));
- s = ntohs(s);
- (*off) += sizeof(s);
- /* Sanity check */
- if ((*off) > sz) {
+ /* before copying compression offset value, ensure it is inside the buffer */
+ if ((*off) + sizeof(s) > sz) {
RFC1035_UNPACK_DEBUG;
return 1;
}
RFC1035_UNPACK_DEBUG;
return 1;
}
+ memcpy(&s, buf + (*off), sizeof(s));
+ s = ntohs(s);
+ (*off) += sizeof(s);
ptr = s & 0x3FFF;
/* Make sure the pointer is inside this message */
if (ptr >= sz) {
ptr = s & 0x3FFF;
/* Make sure the pointer is inside this message */
if (ptr >= sz) {