From: Aaron Campbell <aaron@monkey.org>
Date: Mon, 2 Nov 2015 19:19:12 +0000 (-0400)
Subject: Fix out-of-bounds memory access in DNS TXT record parser.
X-Git-Tag: suricata-3.0RC1~7
X-Git-Url: http://git.ipfire.org/cgi-bin/gitweb.cgi?a=commitdiff_plain;h=50f4fb2a7259a4b76c5c7fc5ee63e3be3ccdb10e;p=thirdparty%2Fsuricata.git

Fix out-of-bounds memory access in DNS TXT record parser.

The datalen variable is declared unsigned.  If txtlen and datalen are equal,
datalen will first be reduced to 0, and then the datalen-- line will cause its
value to wrap to 65535.  This will cause the loop to continue much longer than
intended, and eventually may crash on an out-of-bounds *tdata dereference.

Signed-off-by: Aaron Campbell <aaron@monkey.org>
---

diff --git a/src/app-layer-dns-common.c b/src/app-layer-dns-common.c
index 4a3f9ccd05..3c67fe44d2 100644
--- a/src/app-layer-dns-common.c
+++ b/src/app-layer-dns-common.c
@@ -979,7 +979,7 @@ const uint8_t *DNSReponseParse(DNSState *dns_state, const DNSHeader * const dns_
             do {
                 //PrintRawDataFp(stdout, (uint8_t*)tdata, txtlen);
 
-                if (txtlen > datalen)
+                if (txtlen >= datalen)
                     goto bad_data;
 
                 DNSStoreAnswerInState(dns_state, list, fqdn, fqdn_len,