dns: fix buffer overflow for data->addresses in recv_hook

We may get more than one response before exiting out of loop in
grub_net_dns_lookup, but buffer was allocated for the first response only,
so storing answers from subsequent replies wrote past allocated size.
We never really use more than the very first address during lookup so there
is little point in collecting all of them. Just quit early if we already have
some reply.

Code needs serious redesign to actually collect multiple answers
and select the best fit according to requested type (IPv4 or IPv6).

Reported and tested by Michael Chang <mchang@suse.com>

diff --git a/grub-core/net/dns.c b/grub-core/net/dns.c
index 89741dd7d41ef16837a4ca0487b9d383efd41c24..5d9afe093c0ad07053bcbf864ad1b398c46422fd 100644 (file)
--- a/grub-core/net/dns.c
+++ b/grub-core/net/dns.c
@@ -238,6 +238,15 @@ recv_hook (grub_net_udp_socket_t sock __attribute__ ((unused)),
   char *redirect_save = NULL;
   grub_uint32_t ttl_all = ~0U;
 
+  /* Code apparently assumed that only one packet is received as response.
+     We may get multiple responses due to network condition, so check here
+     and quit early. */
+  if (*data->addresses)
+    {
+      grub_netbuff_free (nb);
+      return GRUB_ERR_NONE;
+    }
+
   head = (struct dns_header *) nb->data;
   ptr = (grub_uint8_t *) (head + 1);
   if (ptr >= nb->tail)