From: Remi Gacogne <remi.gacogne@powerdns.com>
Date: Thu, 2 Apr 2020 14:49:44 +0000 (+0200)
Subject: Fix an out-of-bounds read (up to 4 bytes) in the packet cache
X-Git-Tag: rec-4.5.0-alpha0~3^2~1
X-Git-Url: http://git.ipfire.org/cgi-bin/gitweb.cgi?a=commitdiff_plain;h=745b16266a5751fc15029bc740548c403532b687;p=thirdparty%2Fpdns.git

Fix an out-of-bounds read (up to 4 bytes) in the packet cache

Detected by OSS-Fuzz. Also make sure that we don't try to parse
packets smaller than 12 bytes in the fuzzing target, those are
usually dropped earlier.
---

diff --git a/pdns/fuzz_packetcache.cc b/pdns/fuzz_packetcache.cc
index c53306c744..98f99d372f 100644
--- a/pdns/fuzz_packetcache.cc
+++ b/pdns/fuzz_packetcache.cc
@@ -29,7 +29,7 @@ extern "C" int LLVMFuzzerTestOneInput(const uint8_t* data, size_t size);
 
 extern "C" int LLVMFuzzerTestOneInput(const uint8_t* data, size_t size) {
 
-  if (size > std::numeric_limits<uint16_t>::max()) {
+  if (size > std::numeric_limits<uint16_t>::max() || size < sizeof(dnsheader)) {
     return 0;
   }
 
diff --git a/pdns/packetcache.hh b/pdns/packetcache.hh
index 9baa8b3dd6..bbb670df57 100644
--- a/pdns/packetcache.hh
+++ b/pdns/packetcache.hh
@@ -76,7 +76,7 @@ public:
     uint16_t optionLen;
 
     while (pos < packetSize && rdataRead < rdLen && getNextEDNSOption(&packet.at(pos), rdLen - rdataRead, optionCode, optionLen)) {
-      if (optionLen > (rdLen - rdataRead)) {
+      if (optionLen > (rdLen - rdataRead - 4)) {
         if (packetSize > pos) {
           currentHash = burtle(reinterpret_cast<const unsigned char*>(&packet.at(pos)), packetSize - pos, currentHash);
         }