1 From 62cb936cb7ad5f219715515ae7d32dd281a5aa1f Mon Sep 17 00:00:00 2001
2 From: Simon Kelley <simon@thekelleys.org.uk>
3 Date: Tue, 26 Sep 2017 22:00:11 +0100
4 Subject: Security fix, CVE-2017-14491, DNS heap buffer overflow.
6 Further fix to 0549c73b7ea6b22a3c49beb4d432f185a81efcbc
7 Handles case when RR name is not a pointer to the question,
8 only occurs for some auth-mode replies, therefore not
9 detected by fuzzing (?)
11 src/rfc1035.c | 27 +++++++++++++++------------
12 1 file changed, 15 insertions(+), 12 deletions(-)
14 diff --git a/src/rfc1035.c b/src/rfc1035.c
15 index 27af023..56ab88b 100644
18 @@ -1086,32 +1086,35 @@ int add_resource_record(struct dns_header *header, char *limit, int *truncp, int
20 va_start(ap, format); /* make ap point to 1st unamed argument */
22 - /* nameoffset (1 or 2) + type (2) + class (2) + ttl (4) + 0 (2) */
28 PUTSHORT(nameoffset | 0xc000, p);
32 char *name = va_arg(ap, char *);
34 - p = do_rfc1035_name(p, name, limit);
41 + if (name && !(p = do_rfc1035_name(p, name, limit)))
50 PUTSHORT(-nameoffset | 0xc000, p);
60 + /* type (2) + class (2) + ttl (4) + rdlen (2) */
65 PUTLONG(ttl, p); /* TTL */