Security fix, CVE-2017-14491, DNS heap buffer overflow.

Further fix to 0549c73b Handles case when RR name is not a pointer to the question, only occurs for some auth-mode replies, therefore not detected by fuzzing (?)

Security fix, CVE-2017-14491, DNS heap buffer overflow.
Further fix to 0549c73b Handles case when RR name is not a pointer to the question, only occurs for some auth-mode replies, therefore not detected by fuzzing (?)
62cb936c · Simon Kelley · 39921d03 · 62cb936c
Commit 62cb936c authored Sep 26, 2017 by Simon Kelley
Show whitespace changes
Inline Side-by-side

Showing with 15 additions and 12 deletions

src/rfc1035.c src/rfc1035.c +15 -12

No files found.
--- a/src/rfc1035.c
+++ b/src/rfc1035.c
@@ -1086,19 +1086,15 @@ int add_resource_record(struct dns_header *header, char *limit, int *truncp, int
  va_start(ap, format);   /* make ap point to 1st unamed argument */
-  /* nameoffset (1 or 2) + type (2) + class (2) + ttl (4) + 0 (2) */
-  CHECK_LIMIT(12);
  if (nameoffset > 0)
    {
+      CHECK_LIMIT(2);
      PUTSHORT(nameoffset | 0xc000, p);
    }
  else
    {
      char *name = va_arg(ap, char *);
-      if (name)
+      if (name && !(p = do_rfc1035_name(p, name, limit)))
-	p = do_rfc1035_name(p, name, limit);
-        if (!p)
 	{
 	  va_end(ap);
 	  goto truncated;
@@ -1106,11 +1102,18 @@ int add_resource_record(struct dns_header *header, char *limit, int *truncp, int
      if (nameoffset < 0)
 	{
+	  CHECK_LIMIT(2);
 	  PUTSHORT(-nameoffset | 0xc000, p);
 	}
      else
+	{
+	  CHECK_LIMIT(1);
 	  *p++ = 0;
 	}
+    }
+  /* type (2) + class (2) + ttl (4) + rdlen (2) */
+  CHECK_LIMIT(10);
  PUTSHORT(type, p);
  PUTSHORT(class, p);