- Add extra dnamelen checks to ipdnametoaddr and netblockdnametoaddr

diff --git a/util/net_help.c b/util/net_help.c
index 68a67fbd2b47b9d7c77182f6205732594fa45823..c1ff25d63d09f8fc20140c79adec8b0a6aa9fe6b 100644 (file)
--- a/util/net_help.c
+++ b/util/net_help.c
@@ -296,6 +296,11 @@ static int ipdnametoaddr(uint8_t* dname, size_t dnamelen,
        size_t len = 0;
        int i;
        *af = AF_INET;
+
+       /* need 1 byte for label length */
+       if(dnamelen < 1)
+               return 0;
+
        if(dnamelabs > 6 ||
                dname_has_label(dname, dnamelen, (uint8_t*)"\002zz")) {
                *af = AF_INET6;
@@ -363,17 +368,23 @@ int netblockdnametoaddr(uint8_t* dname, size_t dnamelen,
        struct sockaddr_storage* addr, socklen_t* addrlen, int* net, int* af)
 {
        char buff[3 /* 3 digit netblock */ + 1];
-       if(*dname > 3)
+       size_t nlablen;
+       if(dnamelen < 1 || *dname > 3)
                /* netblock invalid */
                return 0;
-       memcpy(buff, dname+1, *dname);
-       buff[*dname] = '\0';
+       nlablen = *dname;
+
+       if(dnamelen < 1 + nlablen)
+               return 0;
+
+       memcpy(buff, dname+1, nlablen);
+       buff[nlablen] = '\0';
        *net = atoi(buff);
        if(*net == 0 && strcmp(buff, "0") != 0)
                return 0;
-       dname += *dname;
+       dname += nlablen;
        dname++;
-       if(!ipdnametoaddr(dname, dnamelen, addr, addrlen, af))
+       if(!ipdnametoaddr(dname, dnamelen-1-nlablen, addr, addrlen, af))
                return 0;
        if((*af == AF_INET6 && *net > 128) || (*af == AF_INET && *net > 32))
                return 0;