From b43f60f363d3b997db088278038226cd094b3b51 Mon Sep 17 00:00:00 2001 From: Remi Gacogne Date: Wed, 2 Mar 2016 16:57:02 +0100 Subject: [PATCH] Fix end computation in DNSName::packetParser end was computed by end = qpos + offset + len but the offset is already included in len, as seen in the way label compression is handled, by calling packetParser with the same original position and len but an updated offset. --- pdns/dnsname.cc | 2 +- pdns/test-dnsname_cc.cc | 9 +++++++++ 2 files changed, 10 insertions(+), 1 deletion(-) diff --git a/pdns/dnsname.cc b/pdns/dnsname.cc index 2b1d269c6f..fece6db044 100644 --- a/pdns/dnsname.cc +++ b/pdns/dnsname.cc @@ -81,8 +81,8 @@ void DNSName::packetParser(const char* qpos, int len, int offset, bool uncompres if (offset >= len) throw std::range_error("Trying to read past the end of the buffer ("+std::to_string(offset)+ " >= "+std::to_string(len)+")"); - pos += offset; const unsigned char* end = pos + len; + pos += offset; while((labellen=*pos++) && pos < end) { // "scan and copy" if(labellen & 0xc0) { if(!uncompress) diff --git a/pdns/test-dnsname_cc.cc b/pdns/test-dnsname_cc.cc index dc8a6388d5..b2e247a2aa 100644 --- a/pdns/test-dnsname_cc.cc +++ b/pdns/test-dnsname_cc.cc @@ -256,6 +256,15 @@ BOOST_AUTO_TEST_CASE(test_PacketParse) { DNSPacketWriter dpw1(packet, DNSName("."), QType::AAAA); DNSName p((char*)&packet[0], packet.size(), 12, false); BOOST_CHECK_EQUAL(p, root); + unsigned char* buffer=&packet[0]; + /* set invalid label len: + - packet.size() == 17 (sizeof(dnsheader) + 1 + 2 + 2) + - label len < packet.size() but + - offset is 12, label len of 15 should be rejected + because offset + 15 >= packet.size() + */ + buffer[sizeof(dnsheader)] = 15; + BOOST_CHECK_THROW(DNSName((char*)&packet[0], packet.size(), 12, false), std::range_error); } -- 2.47.2