hesiod: Avoid heap overflow in get_txt_records [BZ #20031]

author Florian Weimer <fweimer@redhat.com>

Mon, 2 May 2016 14:04:32 +0000 (16:04 +0200)

committer Florian Weimer <fweimer@redhat.com>

Mon, 2 May 2016 14:04:32 +0000 (16:04 +0200)
author Florian Weimer <fweimer@redhat.com>
Mon, 2 May 2016 14:04:32 +0000 (16:04 +0200)
committer Florian Weimer <fweimer@redhat.com>
Mon, 2 May 2016 14:04:32 +0000 (16:04 +0200)
diff --git a/ChangeLog b/ChangeLog

index 1149fd30e26d2499f67e49958871b88f5e909dc6..d7044ea43da2dab02e1aa43e6d04ac75da3ac0fd 100644 (file)
--- a/ChangeLog
+++ b/ChangeLog
@@ -1,3 +1,9 @@
+2016-05-02  Florian Weimer  <fweimer@redhat.com>
+
+       [BZ #20031]
+       * hesiod/hesiod.c (get_txt_records): Return error if TXT record is
+       completely empty.
+
  2016-05-02  Florian Weimer  <fweimer@redhat.com>
  
         [BZ #19573]
diff --git a/hesiod/hesiod.c b/hesiod/hesiod.c

index 6ecbad11cc726727af4caa075ea1dac79525cd45..c2925a0f99e08750c37a8fd4f711597093c25899 100644 (file)
--- a/hesiod/hesiod.c
+++ b/hesiod/hesiod.c
@@ -398,7 +398,7 @@ get_txt_records(struct hesiod_p *ctx, int class, const char *name) {
                 cp += INT16SZ + INT32SZ;        /* skip the ttl, too */
                 rr.dlen = ns_get16(cp);
                 cp += INT16SZ;
-               if (cp + rr.dlen > eom) {
+               if (rr.dlen == 0 || cp + rr.dlen > eom) {
                         __set_errno(EMSGSIZE);
                         goto cleanup;
                 }
author	Florian Weimer <fweimer@redhat.com>
	Mon, 2 May 2016 14:04:32 +0000 (16:04 +0200)
committer	Florian Weimer <fweimer@redhat.com>
	Mon, 2 May 2016 14:04:32 +0000 (16:04 +0200)
ChangeLog		patch \| blob \| blame \| history
hesiod/hesiod.c		patch \| blob \| blame \| history