From: Victor Julien Date: Thu, 14 Apr 2016 07:46:56 +0000 (+0200) Subject: dns: don't read uninitialized memory in name parsing X-Git-Tag: suricata-3.1RC1~245 X-Git-Url: http://git.ipfire.org/cgi-bin/gitweb.cgi?a=commitdiff_plain;h=3f16ebe4762775e4d11c2d63d0153643016e4012;p=thirdparty%2Fsuricata.git dns: don't read uninitialized memory in name parsing AFL+ASAN found that with certain input we used an uninitialized byte in the length calculation. Probably harmless as the length was still validated afterwards. --- diff --git a/src/app-layer-dns-common.c b/src/app-layer-dns-common.c index 339610a705..664a6e0a93 100644 --- a/src/app-layer-dns-common.c +++ b/src/app-layer-dns-common.c @@ -656,7 +656,7 @@ void DNSStoreAnswerInState(DNSState *dns_state, const int rtype, const uint8_t * static uint16_t DNSResponseGetNameByOffset(const uint8_t * const input, const uint32_t input_len, const uint16_t offset, uint8_t *fqdn, const size_t fqdn_size) { - if (input + input_len < input + offset + 1) { + if (offset >= input_len) { SCLogDebug("input buffer too small for domain of len %u", offset); goto insufficient_data; } @@ -672,13 +672,18 @@ static uint16_t DNSResponseGetNameByOffset(const uint8_t * const input, const ui SCReturnUInt(6U); } + if ((uint64_t)((qdata + 1) - input) >= (uint64_t)input_len) { + SCLogDebug("input buffer too small"); + goto insufficient_data; + } + while (length != 0) { int cnt = 0; while (length & 0xc0) { uint16_t offset = ((length & 0x3f) << 8) + *(qdata+1); qdata = (const uint8_t *)input + offset; - if (input + input_len < qdata + 1) { + if ((uint64_t)((qdata + 1) - input) >= (uint64_t)input_len) { SCLogDebug("input buffer too small"); goto insufficient_data; } @@ -710,8 +715,8 @@ static uint16_t DNSResponseGetNameByOffset(const uint8_t * const input, const ui } qdata += length; - if (input + input_len < qdata + 1) { - SCLogDebug("input buffer too small for len field"); + if ((uint64_t)((qdata + 1) - input) >= (uint64_t)input_len) { + SCLogDebug("input buffer too small"); goto insufficient_data; }