From 85296ce6cc711a5a2d3826ba2f9aeb4a69e9b4d5 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?S=C3=B6ren=20Tempel?= Date: Fri, 30 Oct 2020 21:41:39 +0100 Subject: [PATCH] sock_dns: Fix incorrect buffer bounds check Apart from advancing the buffer by RR_TYPE_LENGTH, RR_CLASS_LENGTH, and RR_TTL_LENGTH the code also attempts to read a two byte unsigned integer using _get_short(bufpos): unsigned addrlen = ntohs(_get_short(bufpos)); The bounds check must therefore ensure that the given buffer is large enough to contain two more bytes after advancing the buffer. --- sys/net/application_layer/dns/dns.c | 3 ++- 1 file changed, 2 insertions(+), 1 deletion(-) diff --git a/sys/net/application_layer/dns/dns.c b/sys/net/application_layer/dns/dns.c index f42ce3360f..b9e80029c4 100644 --- a/sys/net/application_layer/dns/dns.c +++ b/sys/net/application_layer/dns/dns.c @@ -125,7 +125,8 @@ static int _parse_dns_reply(uint8_t *buf, size_t len, void* addr_out, int family return tmp; } bufpos += tmp; - if ((bufpos + RR_TYPE_LENGTH + RR_CLASS_LENGTH + RR_TTL_LENGTH) >= buflim) { + if ((bufpos + RR_TYPE_LENGTH + RR_CLASS_LENGTH + + RR_TTL_LENGTH + sizeof(uint16_t)) >= buflim) { return -EBADMSG; } uint16_t _type = ntohs(_get_short(bufpos));