From: Andrei Borzenkov Date: Tue, 26 Jul 2016 17:38:58 +0000 (+0300) Subject: dns: fix buffer overflow for data->addresses in recv_hook X-Git-Tag: 2.02-rc1~75 X-Git-Url: http://git.ipfire.org/cgi-bin/gitweb.cgi?a=commitdiff_plain;h=52408aa94604466bdd80f48fa8d68378a1ffab31;p=thirdparty%2Fgrub.git dns: fix buffer overflow for data->addresses in recv_hook We may get more than one response before exiting out of loop in grub_net_dns_lookup, but buffer was allocated for the first response only, so storing answers from subsequent replies wrote past allocated size. We never really use more than the very first address during lookup so there is little point in collecting all of them. Just quit early if we already have some reply. Code needs serious redesign to actually collect multiple answers and select the best fit according to requested type (IPv4 or IPv6). Reported and tested by Michael Chang --- diff --git a/grub-core/net/dns.c b/grub-core/net/dns.c index 89741dd7d..5d9afe093 100644 --- a/grub-core/net/dns.c +++ b/grub-core/net/dns.c @@ -238,6 +238,15 @@ recv_hook (grub_net_udp_socket_t sock __attribute__ ((unused)), char *redirect_save = NULL; grub_uint32_t ttl_all = ~0U; + /* Code apparently assumed that only one packet is received as response. + We may get multiple responses due to network condition, so check here + and quit early. */ + if (*data->addresses) + { + grub_netbuff_free (nb); + return GRUB_ERR_NONE; + } + head = (struct dns_header *) nb->data; ptr = (grub_uint8_t *) (head + 1); if (ptr >= nb->tail)