diff options
| author | Luke Huang <huangluke@google.com> | 2021-01-07 05:02:04 +0000 |
|---|---|---|
| committer | Automerger Merge Worker <android-build-automerger-merge-worker@system.gserviceaccount.com> | 2021-01-07 05:02:04 +0000 |
| commit | 5bfc7bb2fbc132bc7d2c7064a925b85ba5897b57 (patch) | |
| tree | da155f024bdb70b1c4a82e99bfbcc9f366866477 | |
| parent | 1c79886d80c41032e9ab09be9df23ed6e7b86b0e (diff) | |
| parent | 35a6d0cb359bb12899075ea59809bbcebff333cc (diff) | |
| download | dnsmasq-5bfc7bb2fbc132bc7d2c7064a925b85ba5897b57.tar.gz | |
dnsmasq: fix heap overflow am: 2c415e570a am: d9b4de509f am: 35a6d0cb35
Original change: https://googleplex-android-review.googlesource.com/c/platform/external/dnsmasq/+/13032295
MUST ONLY BE SUBMITTED BY AUTOMERGER
Change-Id: Id9816b16aa91c463cac086df03f66f4297a6f95b
| -rw-r--r-- | src/dnsmasq.h | 2 | ||||
| -rw-r--r-- | src/rfc1035.c | 28 | ||||
| -rw-r--r-- | src/rfc2131.c | 4 | ||||
| -rw-r--r-- | src/util.c | 11 |
4 files changed, 37 insertions, 8 deletions
diff --git a/src/dnsmasq.h b/src/dnsmasq.h index 2c5f964..9af3a2c 100644 --- a/src/dnsmasq.h +++ b/src/dnsmasq.h @@ -684,7 +684,7 @@ void rand_init(void); unsigned short rand16(void); int legal_hostname(char* c); char* canonicalise(char* s, int* nomem); -unsigned char* do_rfc1035_name(unsigned char* p, char* sval); +unsigned char* do_rfc1035_name(unsigned char* p, char* sval, char *limit); void* safe_malloc(size_t size); void safe_pipe(int* fd, int read_noblock); void* whine_malloc(size_t size); diff --git a/src/rfc1035.c b/src/rfc1035.c index 0f883e1..47479ab 100644 --- a/src/rfc1035.c +++ b/src/rfc1035.c @@ -847,9 +847,19 @@ static int add_resource_record(HEADER* header, char* limit, int* truncp, unsigne unsigned short usval; long lval; char* sval; +#define CHECK_LIMIT(size) \ + if (limit && p + (size) > (unsigned char*)limit) { \ + va_end(ap); \ + goto truncated; \ + } if (truncp && *truncp) return 0; + va_start(ap, format); /* make ap point to 1st unamed argument */ + + /* nameoffset (1 or 2) + type (2) + class (2) + ttl (4) + 0 (2) */ + CHECK_LIMIT(12); + PUTSHORT(nameoffset | 0xc000, p); PUTSHORT(type, p); PUTSHORT(class, p); @@ -858,11 +868,10 @@ static int add_resource_record(HEADER* header, char* limit, int* truncp, unsigne sav = p; /* Save pointer to RDLength field */ PUTSHORT(0, p); /* Placeholder RDLength */ - va_start(ap, format); /* make ap point to 1st unamed argument */ - for (; *format; format++) switch (*format) { #ifdef HAVE_IPV6 case '6': + CHECK_LIMIT(IN6ADDRSZ); sval = va_arg(ap, char*); memcpy(p, sval, IN6ADDRSZ); p += IN6ADDRSZ; @@ -870,17 +879,20 @@ static int add_resource_record(HEADER* header, char* limit, int* truncp, unsigne #endif case '4': + CHECK_LIMIT(INADDRSZ); sval = va_arg(ap, char*); memcpy(p, sval, INADDRSZ); p += INADDRSZ; break; case 's': + CHECK_LIMIT(2); usval = va_arg(ap, int); PUTSHORT(usval, p); break; case 'l': + CHECK_LIMIT(4); lval = va_arg(ap, long); PUTLONG(lval, p); break; @@ -888,12 +900,18 @@ static int add_resource_record(HEADER* header, char* limit, int* truncp, unsigne case 'd': /* get domain-name answer arg and store it in RDATA field */ if (offset) *offset = p - (unsigned char*) header; - p = do_rfc1035_name(p, va_arg(ap, char*)); + p = do_rfc1035_name(p, va_arg(ap, char*), limit); + if (!p) { + va_end(ap); + goto truncated; + } + CHECK_LIMIT(1); *p++ = 0; break; case 't': usval = va_arg(ap, int); + CHECK_LIMIT(usval); sval = va_arg(ap, char*); memcpy(p, sval, usval); p += usval; @@ -903,19 +921,23 @@ static int add_resource_record(HEADER* header, char* limit, int* truncp, unsigne sval = va_arg(ap, char*); usval = sval ? strlen(sval) : 0; if (usval > 255) usval = 255; + CHECK_LIMIT(usval + 1); *p++ = (unsigned char) usval; memcpy(p, sval, usval); p += usval; break; } +#undef CHECK_LIMIT va_end(ap); /* clean up variable argument pointer */ j = p - sav - 2; + /* this has already been checked against limit before */ PUTSHORT(j, sav); /* Now, store real RDLength */ /* check for overflow of buffer */ if (limit && ((unsigned char*) limit - p) < 0) { +truncated: if (truncp) *truncp = 1; return 0; } diff --git a/src/rfc2131.c b/src/rfc2131.c index f74ecb9..c0f649a 100644 --- a/src/rfc2131.c +++ b/src/rfc2131.c @@ -1889,8 +1889,8 @@ static void do_options(struct dhcp_context* context, struct dhcp_packet* mess, u *(p++) = 255; if (fqdn_flags & 0x04) { - p = do_rfc1035_name(p, hostname); - if (domain) p = do_rfc1035_name(p, domain); + p = do_rfc1035_name(p, hostname, NULL); + if (domain) p = do_rfc1035_name(p, domain, NULL); *p++ = 0; } else { memcpy(p, hostname, strlen(hostname)); @@ -190,12 +190,19 @@ char* canonicalise(char* in, int* nomem) { return ret; } -unsigned char* do_rfc1035_name(unsigned char* p, char* sval) { +unsigned char* do_rfc1035_name(unsigned char* p, char* sval, char *limit) { int j; while (sval && *sval) { + if (limit && p + 1 > (unsigned char*)limit) + return p; + unsigned char* cp = p++; - for (j = 0; *sval && (*sval != '.'); sval++, j++) *p++ = *sval; + for (j = 0; *sval && (*sval != '.'); sval++, j++) { + if (limit && p + 1 > (unsigned char*)limit) + return p; + *p++ = *sval; + } *cp = j; if (*sval) sval++; } |