From 3bf1f0b0600ddff7fb192a3d4ac5a2a431ff53c6 Mon Sep 17 00:00:00 2001 From: Remi Gacogne Date: Fri, 20 Nov 2015 12:16:16 +0100 Subject: [PATCH] Check that offset < len in DNSName::packetParser. If DNSName::packetParser() is called with offset >= len, we do pos = qpos + offset, then labellen=*pos++ before checking that pos is not after qpos + len, leading to a potential out-of-bound read. --- pdns/dnsname.cc | 4 ++++ 1 file changed, 4 insertions(+) diff --git a/pdns/dnsname.cc b/pdns/dnsname.cc index 7f7976e91..c69270db9 100644 --- a/pdns/dnsname.cc +++ b/pdns/dnsname.cc @@ -41,6 +41,10 @@ void DNSName::packetParser(const char* qpos, int len, int offset, bool uncompres const unsigned char* pos=(const unsigned char*)qpos; unsigned char labellen; const unsigned char *opos = pos; + + if (offset >= len) + throw std::range_error("Trying to read past the end of the buffer"); + pos += offset; const unsigned char* end = pos + len; while((labellen=*pos++) && pos < end) { // "scan and copy" -- 2.40.0