kaspar/RIOT
1
0
Fork 0
mirror of https://github.com/RIOT-OS/RIOT.git synced 2025-12-25 06:23:53 +01:00
Code Releases Activity

sock_dns: Fix incorrect buffer bounds check

Browse Source 
Apart from advancing the buffer by RR_TYPE_LENGTH, RR_CLASS_LENGTH,
and RR_TTL_LENGTH the code also attempts to read a two byte unsigned
integer using _get_short(bufpos):

	unsigned addrlen = ntohs(_get_short(bufpos));

The bounds check must therefore ensure that the given buffer is large
enough to contain two more bytes after advancing the buffer.
This commit is contained in:
Sören Tempel 2020-10-30 21:41:39 +01:00
parent 4021b10c2b
commit 85296ce6cc
1 changed files with 2 additions and 1 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

3
sys/net/application_layer/dns/dns.c
View File

@ -125,7 +125,8 @@ static int _parse_dns_reply(uint8_t *buf, size_t len, void* addr_out, int family
return tmp;
}
bufpos += tmp;
if ((bufpos + RR_TYPE_LENGTH + RR_CLASS_LENGTH + RR_TTL_LENGTH) >= buflim) {
if ((bufpos + RR_TYPE_LENGTH + RR_CLASS_LENGTH +
RR_TTL_LENGTH + sizeof(uint16_t)) >= buflim) {
return -EBADMSG;
}
uint16_t _type = ntohs(_get_short(bufpos));