From: Francesco Chemolli <5175948+kinkie@users.noreply.github.com>
Date: Mon, 11 Mar 2024 12:06:41 +0000 (+0000)
Subject: Improve bounds checking in rfc1035NameUnpack (#1725)
X-Git-Tag: SQUID_7_0_1~177
X-Git-Url: http://git.ipfire.org/?a=commitdiff_plain;h=1df2a7226a41c3dfe511aa0913c55031145f7c12;p=thirdparty%2Fsquid.git

Improve bounds checking in rfc1035NameUnpack (#1725)

Peter J. Philipp found an input buffer overread (by one byte) when
parsing certain malformed DNS responses. Add the missing check.

Co-authored-by: Peter J. Philipp <pbug44@delphinusdns.org>
---

diff --git a/src/dns/rfc1035.cc b/src/dns/rfc1035.cc
index 1b0be10aba..2fe8ffd009 100644
--- a/src/dns/rfc1035.cc
+++ b/src/dns/rfc1035.cc
@@ -265,14 +265,14 @@ rfc1035NameUnpack(const char *buf, size_t sz, unsigned int *off, unsigned short
                 RFC1035_UNPACK_DEBUG;
                 return 1;
             }
-            memcpy(&s, buf + (*off), sizeof(s));
-            s = ntohs(s);
-            (*off) += sizeof(s);
-            /* Sanity check */
-            if ((*off) > sz) {
+            /* before copying compression offset value, ensure it is inside the buffer */
+            if ((*off) + sizeof(s) > sz) {
                 RFC1035_UNPACK_DEBUG;
                 return 1;
             }
+            memcpy(&s, buf + (*off), sizeof(s));
+            s = ntohs(s);
+            (*off) += sizeof(s);
             ptr = s & 0x3FFF;
             /* Make sure the pointer is inside this message */
             if (ptr >= sz) {