From 745b16266a5751fc15029bc740548c403532b687 Mon Sep 17 00:00:00 2001
From: Remi Gacogne <remi.gacogne@powerdns.com>
Date: Thu, 2 Apr 2020 16:49:44 +0200
Subject: [PATCH] Fix an out-of-bounds read (up to 4 bytes) in the packet cache

Detected by OSS-Fuzz. Also make sure that we don't try to parse
packets smaller than 12 bytes in the fuzzing target, those are
usually dropped earlier.
---
 pdns/fuzz_packetcache.cc | 2 +-
 pdns/packetcache.hh      | 2 +-
 2 files changed, 2 insertions(+), 2 deletions(-)

diff --git a/pdns/fuzz_packetcache.cc b/pdns/fuzz_packetcache.cc
index c53306c744..98f99d372f 100644
--- a/pdns/fuzz_packetcache.cc
+++ b/pdns/fuzz_packetcache.cc
@@ -29,7 +29,7 @@ extern "C" int LLVMFuzzerTestOneInput(const uint8_t* data, size_t size);
 
 extern "C" int LLVMFuzzerTestOneInput(const uint8_t* data, size_t size) {
 
-  if (size > std::numeric_limits<uint16_t>::max()) {
+  if (size > std::numeric_limits<uint16_t>::max() || size < sizeof(dnsheader)) {
     return 0;
   }
 
diff --git a/pdns/packetcache.hh b/pdns/packetcache.hh
index 9baa8b3dd6..bbb670df57 100644
--- a/pdns/packetcache.hh
+++ b/pdns/packetcache.hh
@@ -76,7 +76,7 @@ public:
     uint16_t optionLen;
 
     while (pos < packetSize && rdataRead < rdLen && getNextEDNSOption(&packet.at(pos), rdLen - rdataRead, optionCode, optionLen)) {
-      if (optionLen > (rdLen - rdataRead)) {
+      if (optionLen > (rdLen - rdataRead - 4)) {
         if (packetSize > pos) {
           currentHash = burtle(reinterpret_cast<const unsigned char*>(&packet.at(pos)), packetSize - pos, currentHash);
         }
-- 
2.47.2