BUG/MINOR: resolvers: relax size checks in authority record parsing

Both boundary checks in the authority record parsing loop of
resolv_validate_dns_response() use >= bufend where they should use
> bufend, causing valid DNS responses with exactly enough bytes to be
rejected as invalid.

The first one, "reader + offset + 10 >= bufend" is too strict since it
prevents 10-byte responses from being accepted as valid while they
are. The second one, "reader + len >= bufend" has the same issue, when
exactly len bytes remain, the check rejects it even though dns_max_name()
already validated it. It may be backported though it is unlikely to ever
be noticed.

diff --git a/src/resolvers.c b/src/resolvers.c
index af38ca3571591bf09cda76c279e5e6e3ffda567b..1bcbdb857e7926f513aacfbaecd0fd5e9631961c 100644 (file)
--- a/src/resolvers.c
+++ b/src/resolvers.c
@@ -1435,7 +1435,7 @@ static int resolv_validate_dns_response(unsigned char *resp, unsigned char *bufe
                if (len == 0)
                        goto invalid_resp;
 
-               if (reader + offset + 10 >= bufend)
+               if (reader + offset + 10 > bufend)
                        goto invalid_resp;
 
                reader += offset;
@@ -1449,7 +1449,7 @@ static int resolv_validate_dns_response(unsigned char *resp, unsigned char *bufe
                len = reader[0] * 256 + reader[1];
                reader += 2;
 
-               if (reader + len >= bufend)
+               if (reader + len > bufend)
                        goto invalid_resp;
 
                reader += len;