On 2023-03-22 16:16, Rich Felker wrote:
> On Wed, Mar 22, 2023 at 03:29:16PM +0300, Alexey Kodanev wrote:
>> The received length field in the message may be greater than the
>> size of the 'answer' buffer in which the message resides. Currently,
>> ABUF_SIZE is 768. And if we get a larger 'alen', it will result
>> in an out-of-bounds reading during parsing, because 'alen' will
>> be passed to __dns_parse() later:
>> 
>>     __dns_parse(abuf[i], alens[i], dns_parse_callback, &ctx);
>> 
>> To fix this, limit 'alen' to the size of the received buffer.
>> ---
>>  src/network/res_msend.c | 1 +
>>  1 file changed, 1 insertion(+)
>> 
>> diff --git a/src/network/res_msend.c b/src/network/res_msend.c
>> index fef7e3a2..291853de 100644
>> --- a/src/network/res_msend.c
>> +++ b/src/network/res_msend.c
>> @@ -297,6 +297,7 @@ int __res_msend_rc(int nqueries, const unsigned 
>> char *const *queries,
>>  			int rcode = answers[i][3] & 15;
>>  			if (rcode != 0 && rcode != 3)
>>  				goto out;
>> +			if (alen > asize) alen = asize;
>> 
>>  			/* Storing the length here commits the accepted answer.
>>  			 * Immediately close TCP socket so as not to consume
>> --
>> 2.25.1
> 
> This is incorrect. It breaks res_send, whose contract is to return the
> full answer length even if it did not fit, so that the caller can
> retry with the appropriate size.
> 
> Instead, name_from_dns just needs to clamp the value before passing it
> to __dns_parse.
> 
Not only name_from_dns, but also getnameinfo. The patch is attached.

Alexey