From mboxrd@z Thu Jan 1 00:00:00 1970 X-Spam-Checker-Version: SpamAssassin 3.4.4 (2020-01-24) on inbox.vuxu.org X-Spam-Level: X-Spam-Status: No, score=-0.8 required=5.0 tests=DKIM_INVALID,DKIM_SIGNED, MAILING_LIST_MULTI,RCVD_IN_MSPIKE_H2 autolearn=ham autolearn_force=no version=3.4.4 Received: (qmail 9327 invoked from network); 22 Mar 2023 14:49:50 -0000 Received: from second.openwall.net (193.110.157.125) by inbox.vuxu.org with ESMTPUTF8; 22 Mar 2023 14:49:50 -0000 Received: (qmail 24103 invoked by uid 550); 22 Mar 2023 14:49:46 -0000 Mailing-List: contact musl-help@lists.openwall.com; run by ezmlm Precedence: bulk List-Post: List-Help: List-Unsubscribe: List-Subscribe: List-ID: Reply-To: musl@lists.openwall.com Received: (qmail 24071 invoked from network); 22 Mar 2023 14:49:46 -0000 DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=bell-sw-com.20210112.gappssmtp.com; s=20210112; t=1679496574; h=content-transfer-encoding:mime-version:message-id:date:subject:cc :to:from:from:to:cc:subject:date:message-id:reply-to; bh=hGJuHzMZugJpg/VkvgbS+2G6XtzD/9DRGFS3Pb64XHE=; b=lrrCJjisT6DEZHrZstC7a8ghNouxkmu51RcwELCD9NbWWGKRf3mBG7VB9sX/bnQroe rxKkw0AFgLohkOu/yf2suq7Qe9szRuw+F3VZTWOXlllN0ng9LZ/Qii8cIGRhADF1aozt VqykHRVBhjMPRc5ZxmwljWixFZ8YzwsfIKpcZDaEyVi5oGjMKgkxhYcS1glsPIbiX869 lOYebfg/P1W6cibq3BWkoF1sPvQw1rKI3NR1wLzPKFpWh2nvRJ/OUrU2VMw1BV+b4zbj VMDv9OP8R3nD0+hXT31KWc+kdqgJ0j3FDDFvB7sv8nEC2W3iZ+/xD87h1UNX34XsMkX9 zZfw== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20210112; t=1679496574; h=content-transfer-encoding:mime-version:message-id:date:subject:cc :to:from:x-gm-message-state:from:to:cc:subject:date:message-id :reply-to; bh=hGJuHzMZugJpg/VkvgbS+2G6XtzD/9DRGFS3Pb64XHE=; b=rg5imb1D1wd4Orxcsw+JRwhTi2aTxSKhpMwAt1xMFMoJ2Sj7FqfmZuGySlPAef0ns5 NG9Rlq8scUK2tpxKuOdhQ8JZ4zCA0SxCXz6GuDnKTNhc/WByh/lnIzHVnjW4nuOVkhXX U/sgUbkR8Geq+LuLfnBVcR6TjzZ6CDaZ3st6GslcPBtunRFLNgZdA64jkiVnld3xVVVR /lDlR63otq3iMLaEUpKZGX2WT9nzIpyH17qp9KUu5RnnGQskKU6YGanNRJ1/lkQl+VTU uVBmlgtDC3fknNVJnTHB2mfFyJEkZW7/Husjq+/PCuiq4VCGdDN3exkiAgUenRBpoc3+ NYyQ== X-Gm-Message-State: AO0yUKUOOiIj6vNoVUlwz2Czk5XYLmLci3SLHEC0CABnWF+APlUXX3zX lNFKLrsaZ+1Kq/QtaD89WFZ0XrT5fv02Q/BnnQ== X-Google-Smtp-Source: AK7set8JqWDgkRuiqCgJmp/ZyljG4VgUVXdXId/gtFiILRIt2oZXvMZlQT5Nf2wj9oocpBgTWIkraA== X-Received: by 2002:ac2:519c:0:b0:4ea:129c:522 with SMTP id u28-20020ac2519c000000b004ea129c0522mr1998092lfi.64.1679496574509; Wed, 22 Mar 2023 07:49:34 -0700 (PDT) From: Alexey Kodanev To: musl@lists.openwall.com Cc: Alexey Kodanev Date: Wed, 22 Mar 2023 17:48:40 +0300 Message-Id: <20230322144840.138539-1-aleksei.kodanev@bell-sw.com> X-Mailer: git-send-email 2.25.1 MIME-Version: 1.0 Content-Transfer-Encoding: 8bit Subject: [musl] [PATCH v2] dns: check length field in tcp response message The received length field in the message may be greater than the size of the 'answer' buffer in which the message resides. Currently, ABUF_SIZE is 768. And if we get a larger 'alens[i]', it will result in an out-of-bounds reading in __dns_parse(). To fix this, limit the length to the size of the received buffer. --- v2: move the check to name_from_dns() src/network/lookup_name.c | 1 + 1 file changed, 1 insertion(+) diff --git a/src/network/lookup_name.c b/src/network/lookup_name.c index 5f6867cb..e324f39d 100644 --- a/src/network/lookup_name.c +++ b/src/network/lookup_name.c @@ -179,6 +179,7 @@ static int name_from_dns(struct address buf[static MAXADDRS], char canon[static for (i=nq-1; i>=0; i--) { ctx.rrtype = qtypes[i]; + if (alens[i] > sizeof(abuf[i])) alens[i] = sizeof(abuf[i]); __dns_parse(abuf[i], alens[i], dns_parse_callback, &ctx); } -- 2.25.1