hesiod: Avoid heap overflow in get_txt_records [BZ #20031]

author Florian Weimer <fweimer@redhat.com>

Mon, 2 May 2016 14:04:32 +0000 (16:04 +0200)

committer Florian Weimer <fweimer@redhat.com>

Mon, 9 May 2016 09:18:58 +0000 (11:18 +0200)
author Florian Weimer <fweimer@redhat.com>
Mon, 2 May 2016 14:04:32 +0000 (16:04 +0200)
committer Florian Weimer <fweimer@redhat.com>
Mon, 9 May 2016 09:18:58 +0000 (11:18 +0200)
diff --git a/ChangeLog b/ChangeLog

index 00c9c1ea3247b8e84c3c57034dc583cd240374e1..1c76a4b704feea3ec1bd1f04a1e1dfb843cb7f7b 100644 (file)
--- a/ChangeLog
+++ b/ChangeLog
@@ -1,3 +1,9 @@
+2016-05-02  Florian Weimer  <fweimer@redhat.com>
+
+       [BZ #20031]
+       * hesiod/hesiod.c (get_txt_records): Return error if TXT record is
+       completely empty.
+
  2016-05-02  Florian Weimer  <fweimer@redhat.com>
  
         [BZ #19573]
diff --git a/hesiod/hesiod.c b/hesiod/hesiod.c

index 5b13b3f1c443a566f62cebcc09bde4472dc87a92..98ddee39a401b2bbcd9533e2209b179b7afec9a4 100644 (file)
--- a/hesiod/hesiod.c
+++ b/hesiod/hesiod.c
@@ -411,7 +411,7 @@ get_txt_records(struct hesiod_p *ctx, int class, const char *name) {
                 cp += INT16SZ + INT32SZ;        /* skip the ttl, too */
                 rr.dlen = ns_get16(cp);
                 cp += INT16SZ;
-               if (cp + rr.dlen > eom) {
+               if (rr.dlen == 0 || cp + rr.dlen > eom) {
                         __set_errno(EMSGSIZE);
                         goto cleanup;
                 }
author	Florian Weimer <fweimer@redhat.com>
	Mon, 2 May 2016 14:04:32 +0000 (16:04 +0200)
committer	Florian Weimer <fweimer@redhat.com>
	Mon, 9 May 2016 09:18:58 +0000 (11:18 +0200)
ChangeLog		patch \| blob \| blame \| history
hesiod/hesiod.c		patch \| blob \| blame \| history