From: W.C.A. Wijngaards <wouter@nlnetlabs.nl>
Date: Tue, 3 Dec 2019 14:42:34 +0000 (+0100)
Subject: - Fix OOB Read in sldns_wire2str_dname_scan(),
X-Git-Tag: release-1.9.6rc1~19
X-Git-Url: http://git.ipfire.org/cgi-bin/gitweb.cgi?a=commitdiff_plain;h=e183a66d60039ee66a120279dc759211a035406a;p=thirdparty%2Funbound.git

- Fix OOB Read in sldns_wire2str_dname_scan(),
  reported by X41 D-Sec.
---

diff --git a/doc/Changelog b/doc/Changelog
index 16b6d53c1..aabdcec25 100644
--- a/doc/Changelog
+++ b/doc/Changelog
@@ -8,6 +8,8 @@
 	- Fix similar code in auth_zone synth cname to add the extra checks.
 	- Fix Assert Causing DoS in dname_pkt_copy(),
 	  reported by X41 D-Sec.
+	- Fix OOB Read in sldns_wire2str_dname_scan(),
+	  reported by X41 D-Sec.
 
 2 December 2019: Wouter
 	- Merge pull request #122 from he32: In tcp_callback_writer(),
diff --git a/sldns/wire2str.c b/sldns/wire2str.c
index ddff33a28..8ccc78d95 100644
--- a/sldns/wire2str.c
+++ b/sldns/wire2str.c
@@ -798,7 +798,7 @@ int sldns_wire2str_dname_scan(uint8_t** d, size_t* dlen, char** s, size_t* slen,
 		(*dlen)--;
 		return sldns_str_print(s, slen, ".");
 	}
-	while(*pos) {
+	while((!pkt || pos < pkt+pktlen) && *pos) {
 		/* read label length */
 		uint8_t labellen = *pos++;
 		if(in_buf) { (*d)++; (*dlen)--; }