diff options
author | Matthias Gerstner <matthias.gerstner@suse.de> | 2022-10-27 12:32:51 +0200 |
---|---|---|
committer | Daniel Wagner <wagi@monom.org> | 2022-11-03 08:10:30 +0100 |
commit | 6d2cec47445bdb1ca5bd8848215dac804a884c7e (patch) | |
tree | 8bf1f5f83b0e2843fa1c08ac52f0735c817319b9 | |
parent | 6e235851d18d6a3d3a64731bae707d0742d78852 (diff) | |
download | connman-6d2cec47445bdb1ca5bd8848215dac804a884c7e.tar.gz |
dnsproxy: strip_domains(): fix out of bounds read access
If the name is not found in an answer record then `ptr` is NULL and the
calculation at the end of the while loop `maxlen -= answers - ptr` will
underflow, resulting in a very large `maxlen` value and consequently in
out of bound read accesses parsing beyond the actual end of the answers
section.
-rw-r--r-- | src/dnsproxy.c | 2 |
1 files changed, 2 insertions, 0 deletions
diff --git a/src/dnsproxy.c b/src/dnsproxy.c index 4c36cb76..b093e87d 100644 --- a/src/dnsproxy.c +++ b/src/dnsproxy.c @@ -1903,6 +1903,8 @@ static int strip_domains(char *name, char *answers, int maxlen) end -= domain_len; maxlen -= domain_len; } + } else { + ptr = answers; } answers += strlen(answers) + 1; |