From: Remi Gacogne <remi.gacogne@powerdns.com>
Date: Wed, 5 Dec 2018 16:55:10 +0000 (+0100)
Subject: BUG: dns: Prevent out-of-bounds read in dns_read_name()
X-Git-Tag: v1.9-dev11~81
X-Git-Url: http://git.ipfire.org/cgi-bin/gitweb.cgi?a=commitdiff_plain;h=2d19fbcab21356f5aee1f2a52591a38665360bb6;p=thirdparty%2Fhaproxy.git

BUG: dns: Prevent out-of-bounds read in dns_read_name()

Some callers of dns_read_name() do not make sure that we can read
the first byte, holding the length of the next label, without going
past our buffer, so we need to make sure of that.
In addition, if the label is a compressed one we need to make sure
that we can read the following byte to compute the target offset.

To be backported to 1.8, probably also 1.7.
---

diff --git a/src/dns.c b/src/dns.c
index 50fc16e09f..fead2613ad 100644
--- a/src/dns.c
+++ b/src/dns.c
@@ -402,8 +402,14 @@ int dns_read_name(unsigned char *buffer, unsigned char *bufend,
 	char *dest = destination;
 
 	while (1) {
+		if (reader >= bufend)
+			goto err;
+
 		/* Name compression is in use */
 		if ((*reader & 0xc0) == 0xc0) {
+			if (reader + 1 >= bufend)
+				goto err;
+
 			/* Must point BEFORE current position */
 			if ((buffer + reader[1]) > reader)
 				goto err;