From: Alan T. DeKok <aland@freeradius.org>
Date: Thu, 12 Oct 2023 15:29:14 +0000 (-0400)
Subject: add end check to loop limit
X-Git-Url: http://git.ipfire.org/cgi-bin/gitweb.cgi?a=commitdiff_plain;h=2c08fc48f0f2d6cd7d078d543588479cd72929e0;p=thirdparty%2Ffreeradius-server.git

add end check to loop limit

and remove end check inside of loop.

The fr_struct_from_network() function will also enforce "end"
---

diff --git a/src/protocols/dns/decode.c b/src/protocols/dns/decode.c
index 04f5947b92c..cd0a2b5ab4e 100644
--- a/src/protocols/dns/decode.c
+++ b/src/protocols/dns/decode.c
@@ -234,19 +234,18 @@ static ssize_t decode_record(TALLOC_CTX *ctx, fr_pair_list_t *out, fr_dict_attr_
 	int i, count;
 	uint8_t const *p = rr;
 
+	/*
+	 *	The header has a count of how many records we need to decode.
+	 */
 	count = fr_nbo_to_uint16(counter);
 	FR_PROTO_TRACE("Decoding %u of %s", count, attr->name);
+
 	/* coverity[tainted_data] */
-	for (i = 0; i < count; i++) {
+	for (i = 0; (i < count) && (p < end); i++) {
 		ssize_t slen;
 
 		FR_PROTO_HEX_DUMP(p, end - p, "fr_dns_decode - %s %d/%d", attr->name, i, count);
 
-		if (p >= end) {
-			fr_strerror_printf("%s structure at count %d/%d overflows the packet", attr->name, i, count);
-			return -(p - rr);
-		}
-
 		slen = fr_struct_from_network(ctx, out, attr, p, end - p, true,
 					      packet_ctx, decode_value_trampoline, decode_tlv_trampoline);
 		if (slen < 0) return slen;