BUG: dns: Prevent out-of-bounds read in dns_read_name()

Some callers of dns_read_name() do not make sure that we can read
the first byte, holding the length of the next label, without going
past our buffer, so we need to make sure of that.
In addition, if the label is a compressed one we need to make sure
that we can read the following byte to compute the target offset.

To be backported to 1.8, probably also 1.7.

diff --git a/src/dns.c b/src/dns.c
index 50fc16e09f8dc915a70a7c24075d0ec8496af1d2..fead2613ad7bc4258bc8925e2c3aa9a46f462a67 100644 (file)
--- a/src/dns.c
+++ b/src/dns.c
@@ -402,8 +402,14 @@ int dns_read_name(unsigned char *buffer, unsigned char *bufend,
        char *dest = destination;
 
        while (1) {
+               if (reader >= bufend)
+                       goto err;
+
                /* Name compression is in use */
                if ((*reader & 0xc0) == 0xc0) {
+                       if (reader + 1 >= bufend)
+                               goto err;
+
                        /* Must point BEFORE current position */
                        if ((buffer + reader[1]) > reader)
                                goto err;