BUG: dns: Fix out-of-bounds read via signedness error in dns_validate_dns_response()

Since the data_len field of the dns_answer_item struct was an int16_t,
record length values larger than 2^15-1 were causing an integer
overflow and thus may have been interpreted as negative, making us
read well before the beginning of the buffer.
This might have led to information disclosure or a crash.

To be backported to 1.8, probably also 1.7.

diff --git a/include/types/dns.h b/include/types/dns.h
index d7afe02cd859f7e2695dc9d993ac9e0bb9a0cec2..0ebe380b0f94cc14803ca4d81e17341a9646b270 100644 (file)
--- a/include/types/dns.h
+++ b/include/types/dns.h
@@ -145,7 +145,7 @@ struct dns_answer_item {
        int16_t         priority;                  /* SRV type priority */
        uint16_t        weight;                    /* SRV type weight */
        int16_t         port;                      /* SRV type port */
-       int16_t         data_len;                  /* number of bytes in target below */
+       uint16_t        data_len;                  /* number of bytes in target below */
        struct sockaddr address;                   /* IPv4 or IPv6, network format */
        char            target[DNS_MAX_NAME_SIZE]; /* Response data: SRV or CNAME type target */
        time_t          last_seen;                 /* When was the answer was last seen */