Pi-Hole/dnsmasq
1
0
Fork 0
mirror of https://github.com/pi-hole/dnsmasq.git synced 2025-12-19 18:28:25 +00:00
Code Issues Packages Projects Releases Wiki Activity

Security fix, CVE-2017-14491, DNS heap buffer overflow.

Browse Source 
Further fix to 0549c73b7e
Handles case when RR name is not a pointer to the question,
only occurs for some auth-mode replies, therefore not
detected by fuzzing (?)
This commit is contained in:
Simon Kelley
2017-09-26 22:00:11 +01:00
parent 39921d03ba
commit 62cb936cb7
1 changed files with 15 additions and 12 deletions
Download Patch File Download Diff File Expand all files Collapse all files

27
src/rfc1035.c
View File

@@ -1086,32 +1086,35 @@ int add_resource_record(struct dns_header *header, char *limit, int *truncp, int
va_start(ap, format); /* make ap point to 1st unamed argument */ va_start(ap, format); /* make ap point to 1st unamed argument */
/* nameoffset (1 or 2) + type (2) + class (2) + ttl (4) + 0 (2) */
CHECK_LIMIT(12);
if (nameoffset > 0) if (nameoffset > 0)
{ {
CHECK_LIMIT(2);
PUTSHORT(nameoffset | 0xc000, p); PUTSHORT(nameoffset | 0xc000, p);
} }
else else
{ {
char *name = va_arg(ap, char *); char *name = va_arg(ap, char *);
if (name) if (name && !(p = do_rfc1035_name(p, name, limit)))
p = do_rfc1035_name(p, name, limit); {
if (!p) va_end(ap);
{ goto truncated;
va_end(ap); }
goto truncated;
}
if (nameoffset < 0) if (nameoffset < 0)
{ {
CHECK_LIMIT(2);
PUTSHORT(-nameoffset | 0xc000, p); PUTSHORT(-nameoffset | 0xc000, p);
} }
else else
*p++ = 0; {
CHECK_LIMIT(1);
*p++ = 0;
}
} }
/* type (2) + class (2) + ttl (4) + rdlen (2) */
CHECK_LIMIT(10);
PUTSHORT(type, p); PUTSHORT(type, p);
PUTSHORT(class, p); PUTSHORT(class, p);
PUTLONG(ttl, p); /* TTL */ PUTLONG(ttl, p); /* TTL */