Fix an out-of-bounds read (up to 4 bytes) in the packet cache

Detected by OSS-Fuzz. Also make sure that we don't try to parse
packets smaller than 12 bytes in the fuzzing target, those are
usually dropped earlier.

diff --git a/pdns/fuzz_packetcache.cc b/pdns/fuzz_packetcache.cc
index c53306c744ab795cfc37e3e6d459e585c706ad11..98f99d372fbf4e67fab7b001683224936841305e 100644 (file)
--- a/pdns/fuzz_packetcache.cc
+++ b/pdns/fuzz_packetcache.cc
@@ -29,7 +29,7 @@ extern "C" int LLVMFuzzerTestOneInput(const uint8_t* data, size_t size);
 
 extern "C" int LLVMFuzzerTestOneInput(const uint8_t* data, size_t size) {
 
-  if (size > std::numeric_limits<uint16_t>::max()) {
+  if (size > std::numeric_limits<uint16_t>::max() || size < sizeof(dnsheader)) {
     return 0;
   }
 

diff --git a/pdns/packetcache.hh b/pdns/packetcache.hh
index 9baa8b3dd6345526fb91b3e82a4335bd872178b1..bbb670df579a120793c1390c705ee7c9ef2fb6b5 100644 (file)
--- a/pdns/packetcache.hh
+++ b/pdns/packetcache.hh
@@ -76,7 +76,7 @@ public:
     uint16_t optionLen;
 
     while (pos < packetSize && rdataRead < rdLen && getNextEDNSOption(&packet.at(pos), rdLen - rdataRead, optionCode, optionLen)) {
-      if (optionLen > (rdLen - rdataRead)) {
+      if (optionLen > (rdLen - rdataRead - 4)) {
         if (packetSize > pos) {
           currentHash = burtle(reinterpret_cast<const unsigned char*>(&packet.at(pos)), packetSize - pos, currentHash);
         }