+++ /dev/null
-From 62cb936cb7ad5f219715515ae7d32dd281a5aa1f Mon Sep 17 00:00:00 2001
-From: Simon Kelley <simon@thekelleys.org.uk>
-Date: Tue, 26 Sep 2017 22:00:11 +0100
-Subject: Security fix, CVE-2017-14491, DNS heap buffer overflow.
-
-Further fix to 0549c73b7ea6b22a3c49beb4d432f185a81efcbc
-Handles case when RR name is not a pointer to the question,
-only occurs for some auth-mode replies, therefore not
-detected by fuzzing (?)
----
- src/rfc1035.c | 27 +++++++++++++++------------
- 1 file changed, 15 insertions(+), 12 deletions(-)
-
-diff --git a/src/rfc1035.c b/src/rfc1035.c
-index 27af023..56ab88b 100644
---- a/src/rfc1035.c
-+++ b/src/rfc1035.c
-@@ -1086,32 +1086,35 @@ int add_resource_record(struct dns_header *header, char *limit, int *truncp, int
-
- va_start(ap, format); /* make ap point to 1st unamed argument */
-
-- /* nameoffset (1 or 2) + type (2) + class (2) + ttl (4) + 0 (2) */
-- CHECK_LIMIT(12);
--
- if (nameoffset > 0)
- {
-+ CHECK_LIMIT(2);
- PUTSHORT(nameoffset | 0xc000, p);
- }
- else
- {
- char *name = va_arg(ap, char *);
-- if (name)
-- p = do_rfc1035_name(p, name, limit);
-- if (!p)
-- {
-- va_end(ap);
-- goto truncated;
-- }
--
-+ if (name && !(p = do_rfc1035_name(p, name, limit)))
-+ {
-+ va_end(ap);
-+ goto truncated;
-+ }
-+
- if (nameoffset < 0)
- {
-+ CHECK_LIMIT(2);
- PUTSHORT(-nameoffset | 0xc000, p);
- }
- else
-- *p++ = 0;
-+ {
-+ CHECK_LIMIT(1);
-+ *p++ = 0;
-+ }
- }
-
-+ /* type (2) + class (2) + ttl (4) + rdlen (2) */
-+ CHECK_LIMIT(10);
-+
- PUTSHORT(type, p);
- PUTSHORT(class, p);
- PUTLONG(ttl, p); /* TTL */
---
-2.7.4
-
Code Review / pti / rtp.git / blobdiff