From: Remi Gacogne <rgacogne-github@coredump.fr>
Date: Fri, 20 Nov 2015 11:16:16 +0000 (+0100)
Subject: Check that offset < len in DNSName::packetParser.
X-Git-Tag: dnsdist-1.0.0-alpha1~210^2~8^2
X-Git-Url: https://granicus.if.org/sourcecode?a=commitdiff_plain;h=3bf1f0b0600ddff7fb192a3d4ac5a2a431ff53c6;p=pdns

Check that offset < len in DNSName::packetParser.

If DNSName::packetParser() is called with offset >= len,
we do pos = qpos + offset, then labellen=*pos++ before
checking that pos is not after qpos + len, leading to
a potential out-of-bound read.
---

diff --git a/pdns/dnsname.cc b/pdns/dnsname.cc
index 7f7976e91..c69270db9 100644
--- a/pdns/dnsname.cc
+++ b/pdns/dnsname.cc
@@ -41,6 +41,10 @@ void DNSName::packetParser(const char* qpos, int len, int offset, bool uncompres
   const unsigned char* pos=(const unsigned char*)qpos;
   unsigned char labellen;
   const unsigned char *opos = pos;
+
+  if (offset >= len)
+    throw std::range_error("Trying to read past the end of the buffer");
+
   pos += offset;
   const unsigned char* end = pos + len;
   while((labellen=*pos++) && pos < end) { // "scan and copy"