From: Alan T. DeKok <aland@freeradius.org>
Date: Mon, 11 Oct 2021 15:19:23 +0000 (-0400)
Subject: check for more corner cases
X-Git-Url: http://git.ipfire.org/cgi-bin/gitweb.cgi?a=commitdiff_plain;h=4d926719721f0ad2d9b0dc4a248c8a411fd0733b;p=thirdparty%2Ffreeradius-server.git

check for more corner cases
---

diff --git a/src/lib/util/dns.c b/src/lib/util/dns.c
index f63836bfe9a..04441378cf9 100644
--- a/src/lib/util/dns.c
+++ b/src/lib/util/dns.c
@@ -937,6 +937,13 @@ ssize_t fr_dns_label_uncompressed_length(uint8_t const *packet, uint8_t const *b
 			break;
 		}
 
+		/*
+		 *	If there's only one byte in the packet, then
+		 *	it MUST be 0x00.  If it's not, then the label
+		 *	overflows the buffer.
+		 */
+		if ((p + 1) >= end) goto overflow;
+
 		/*
 		 *	0b10 and 0b10 are forbidden
 		 */
@@ -1218,6 +1225,18 @@ ssize_t fr_dns_label_to_value_box(TALLOC_CTX *ctx, fr_value_box_t *dst,
 	uint8_t *p;
 	char *q;
 
+	if (!len) return -1;
+
+	/*
+	 *	The label must be within the current buffer we're
+	 *	passed.
+	 */
+	if ((label < src) || (label >= end)) return -1;
+
+	/*
+	 *	The actual packet might start earlier than the buffer,
+	 *	so reset it if necessary.
+	 */
 	if (lb) packet = lb->start;
 
 	/*