Fix out-of-bounds memory access in DNS TXT record parser.

The datalen variable is declared unsigned.  If txtlen and datalen are equal,
datalen will first be reduced to 0, and then the datalen-- line will cause its
value to wrap to 65535.  This will cause the loop to continue much longer than
intended, and eventually may crash on an out-of-bounds *tdata dereference.

Signed-off-by: Aaron Campbell <aaron@monkey.org>

diff --git a/src/app-layer-dns-common.c b/src/app-layer-dns-common.c
index 4a3f9ccd053962312f662b8f0145f378f70a1c4a..3c67fe44d2cf552d74b2beda5efce9718626650d 100644 (file)
--- a/src/app-layer-dns-common.c
+++ b/src/app-layer-dns-common.c
@@ -979,7 +979,7 @@ const uint8_t *DNSReponseParse(DNSState *dns_state, const DNSHeader * const dns_
             do {
                 //PrintRawDataFp(stdout, (uint8_t*)tdata, txtlen);
 
-                if (txtlen > datalen)
+                if (txtlen >= datalen)
                     goto bad_data;
 
                 DNSStoreAnswerInState(dns_state, list, fqdn, fqdn_len,