Skip to content

Commit

Permalink
Browse files Browse the repository at this point in the history
dnsproxy: Add length checks to prevent buffer overflow
  • Loading branch information
Colin Wee authored and LaakkonenJussi committed Feb 8, 2021
1 parent fbf9f79 commit a76fc92
Showing 1 changed file with 8 additions and 0 deletions.
8 changes: 8 additions & 0 deletions connman/src/dnsproxy.c
Expand Up @@ -1765,6 +1765,7 @@ static char *uncompress(int16_t field_count, char *start, char *end,
char **uncompressed_ptr)
{
char *uptr = *uncompressed_ptr; /* position in result buffer */
char * const uncomp_end = uncompressed + uncomp_len - 1;

DBG("count %d ptr %p end %p uptr %p", field_count, ptr, end, uptr);

Expand All @@ -1786,6 +1787,9 @@ static char *uncompress(int16_t field_count, char *start, char *end,
*/

ulen = strlen(name);
if ((uptr + ulen + 1) > uncomp_end) {
goto out;
}
strncpy(uptr, name, uncomp_len - (uptr - uncompressed));

DBG("pos %d ulen %d left %d name %s", pos, ulen,
Expand All @@ -1800,6 +1804,10 @@ static char *uncompress(int16_t field_count, char *start, char *end,
* We copy also the fixed portion of the result (type, class,
* ttl, address length and the address)
*/
if ((uptr + NS_RRFIXEDSZ) > uncomp_end) {
DBG("uncompressed data too large for buffer");
goto out;
}
memcpy(uptr, ptr, NS_RRFIXEDSZ);

dns_type = uptr[0] << 8 | uptr[1];
Expand Down

0 comments on commit a76fc92

Please sign in to comment.