From 50f4fb2a7259a4b76c5c7fc5ee63e3be3ccdb10e Mon Sep 17 00:00:00 2001
From: Aaron Campbell <aaron@monkey.org>
Date: Mon, 2 Nov 2015 15:19:12 -0400
Subject: [PATCH] Fix out-of-bounds memory access in DNS TXT record parser.

The datalen variable is declared unsigned.  If txtlen and datalen are equal,
datalen will first be reduced to 0, and then the datalen-- line will cause its
value to wrap to 65535.  This will cause the loop to continue much longer than
intended, and eventually may crash on an out-of-bounds *tdata dereference.

Signed-off-by: Aaron Campbell <aaron@monkey.org>
---
 src/app-layer-dns-common.c | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/src/app-layer-dns-common.c b/src/app-layer-dns-common.c
index 4a3f9ccd05..3c67fe44d2 100644
--- a/src/app-layer-dns-common.c
+++ b/src/app-layer-dns-common.c
@@ -979,7 +979,7 @@ const uint8_t *DNSReponseParse(DNSState *dns_state, const DNSHeader * const dns_
             do {
                 //PrintRawDataFp(stdout, (uint8_t*)tdata, txtlen);
 
-                if (txtlen > datalen)
+                if (txtlen >= datalen)
                     goto bad_data;
 
                 DNSStoreAnswerInState(dns_state, list, fqdn, fqdn_len,
-- 
2.47.2