Check that offset < len in DNSName::packetParser.

If DNSName::packetParser() is called with offset >= len,
we do pos = qpos + offset, then labellen=*pos++ before
checking that pos is not after qpos + len, leading to
a potential out-of-bound read.

diff --git a/pdns/dnsname.cc b/pdns/dnsname.cc
index 7f7976e91e0d5044b3cee03a9a23dd2d52ad6e26..c69270db98903db96cb1b74297bb9d464305f78e 100644 (file)
--- a/pdns/dnsname.cc
+++ b/pdns/dnsname.cc
@@ -41,6 +41,10 @@ void DNSName::packetParser(const char* qpos, int len, int offset, bool uncompres
   const unsigned char* pos=(const unsigned char*)qpos;
   unsigned char labellen;
   const unsigned char *opos = pos;
+
+  if (offset >= len)
+    throw std::range_error("Trying to read past the end of the buffer");
+
   pos += offset;
   const unsigned char* end = pos + len;
   while((labellen=*pos++) && pos < end) { // "scan and copy"