check for more corner cases

author Alan T. DeKok <aland@freeradius.org>

Mon, 11 Oct 2021 15:19:23 +0000 (11:19 -0400)

committer Alan T. DeKok <aland@freeradius.org>

Mon, 11 Oct 2021 17:03:33 +0000 (13:03 -0400)
author Alan T. DeKok <aland@freeradius.org>
Mon, 11 Oct 2021 15:19:23 +0000 (11:19 -0400)
committer Alan T. DeKok <aland@freeradius.org>
Mon, 11 Oct 2021 17:03:33 +0000 (13:03 -0400)
diff --git a/src/lib/util/dns.c b/src/lib/util/dns.c

index f63836bfe9ad025a259273bc6822767df8b339b0..04441378cf9c7fec769703bb341a880e2357a2ac 100644 (file)
--- a/src/lib/util/dns.c
+++ b/src/lib/util/dns.c
@@ -937,6 +937,13 @@ ssize_t fr_dns_label_uncompressed_length(uint8_t const *packet, uint8_t const *b
                         break;
                 }
  
+               /*
+                *      If there's only one byte in the packet, then
+                *      it MUST be 0x00.  If it's not, then the label
+                *      overflows the buffer.
+                */
+               if ((p + 1) >= end) goto overflow;
+
                 /*
                  *      0b10 and 0b10 are forbidden
                  */
@@ -1218,6 +1225,18 @@ ssize_t fr_dns_label_to_value_box(TALLOC_CTX *ctx, fr_value_box_t *dst,
         uint8_t *p;
         char *q;
  
+       if (!len) return -1;
+
+       /*
+        *      The label must be within the current buffer we're
+        *      passed.
+        */
+       if ((label < src) || (label >= end)) return -1;
+
+       /*
+        *      The actual packet might start earlier than the buffer,
+        *      so reset it if necessary.
+        */
         if (lb) packet = lb->start;
  
         /*
author	Alan T. DeKok <aland@freeradius.org>
	Mon, 11 Oct 2021 15:19:23 +0000 (11:19 -0400)
committer	Alan T. DeKok <aland@freeradius.org>
	Mon, 11 Oct 2021 17:03:33 +0000 (13:03 -0400)