resolve: check for underflow of size parameter (#7889)

to dns_packet_read_memdup() Closes #7888
author: Shawn Landden <slandden@gmail.com> 2018-01-17 14:49:22 +0100
committer: Zbigniew Jędrzejewski-Szmek <zbyszek@in.waw.pl> 2018-01-17 14:49:22 +0100
commit: 8a0f6d1f6b8086e342e56aad55d536b42c01e08d (patch)
tree: ea5445a25d07b8fa8e3112a6f167274f4eaa7499 /src/resolve
parent: efivars: include errno.h when EFI support is disabled (#7900) (diff)
download: systemd-8a0f6d1f6b8086e342e56aad55d536b42c01e08d.tar.xz
systemd-8a0f6d1f6b8086e342e56aad55d536b42c01e08d.zip
1 files changed, 18 insertions, 0 deletions
diff --git a/src/resolve/resolved-dns-packet.c b/src/resolve/resolved-dns-packet.c
index d7a839a823..70260b38b8 100644
--- a/src/resolve/resolved-dns-packet.c
+++ b/src/resolve/resolved-dns-packet.c
@@ -1837,6 +1837,9 @@ int dns_packet_read_rr(DnsPacket *p, DnsResourceRecord **ret, bool *ret_cache_fl
                 if (r < 0)
                         return r;
 
+                if (rdlength < 4)
+                        return -EBADMSG;
+
                 r = dns_packet_read_memdup(p, rdlength - 4,
                                            &rr->ds.digest, &rr->ds.digest_size,
                                            NULL);
@@ -1859,6 +1862,9 @@ int dns_packet_read_rr(DnsPacket *p, DnsResourceRecord **ret, bool *ret_cache_fl
                 if (r < 0)
                         return r;
 
+                if (rdlength < 2)
+                        return -EBADMSG;
+
                 r = dns_packet_read_memdup(p, rdlength - 2,
                                            &rr->sshfp.fingerprint, &rr->sshfp.fingerprint_size,
                                            NULL);
@@ -1883,6 +1889,9 @@ int dns_packet_read_rr(DnsPacket *p, DnsResourceRecord **ret, bool *ret_cache_fl
                 if (r < 0)
                         return r;
 
+                if (rdlength < 4)
+                        return -EBADMSG;
+
                 r = dns_packet_read_memdup(p, rdlength - 4,
                                            &rr->dnskey.key, &rr->dnskey.key_size,
                                            NULL);
@@ -1927,6 +1936,9 @@ int dns_packet_read_rr(DnsPacket *p, DnsResourceRecord **ret, bool *ret_cache_fl
                 if (r < 0)
                         return r;
 
+                if (rdlength + offset < p->rindex)
+                        return -EBADMSG;
+
                 r = dns_packet_read_memdup(p, offset + rdlength - p->rindex,
                                            &rr->rrsig.signature, &rr->rrsig.signature_size,
                                            NULL);
@@ -2016,6 +2028,9 @@ int dns_packet_read_rr(DnsPacket *p, DnsResourceRecord **ret, bool *ret_cache_fl
                 if (r < 0)
                         return r;
 
+                if (rdlength < 3)
+                        return -EBADMSG;
+
                 r = dns_packet_read_memdup(p, rdlength - 3,
                                            &rr->tlsa.data, &rr->tlsa.data_size,
                                            NULL);
@@ -2036,6 +2051,9 @@ int dns_packet_read_rr(DnsPacket *p, DnsResourceRecord **ret, bool *ret_cache_fl
                 if (r < 0)
                         return r;
 
+                if (rdlength + offset < p->rindex)
+                        return -EBADMSG;
+
                 r = dns_packet_read_memdup(p,
                                            rdlength + offset - p->rindex,
                                            &rr->caa.value, &rr->caa.value_size, NULL);
author	Shawn Landden <slandden@gmail.com>	2018-01-17 14:49:22 +0100
committer	Zbigniew Jędrzejewski-Szmek <zbyszek@in.waw.pl>	2018-01-17 14:49:22 +0100
commit	8a0f6d1f6b8086e342e56aad55d536b42c01e08d (patch)
tree	ea5445a25d07b8fa8e3112a6f167274f4eaa7499 /src/resolve
parent	efivars: include errno.h when EFI support is disabled (#7900) (diff)
download	systemd-8a0f6d1f6b8086e342e56aad55d536b42c01e08d.tar.xz systemd-8a0f6d1f6b8086e342e56aad55d536b42c01e08d.zip