Module: sip-router Branch: ser_core_cvs Commit: a73ecb4c33a829a1a08fbf04dc7483c79443ccfb URL: http://git.sip-router.org/cgi-bin/gitweb.cgi/sip-router/?a=commit;h=a73ecb4… Author: Andrei Pelinescu-Onciul <andrei(a)iptel.org> Committer: Andrei Pelinescu-Onciul <andrei(a)iptel.org> Date: Mon Mar 30 13:59:42 2009 +0000 dns: more strict record end checking - be more strict and check always if a record doesn't exceed it's declared length (before we checked only if the end is inside the message). --- resolve.c | 16 +++++++++------- 1 files changed, 9 insertions(+), 7 deletions(-) diff --git a/resolve.c b/resolve.c index b007918..9f55f3d 100644 --- a/resolve.c +++ b/resolve.c @@ -499,6 +499,7 @@ struct rdata* get_record(char* name, int type, int flags) static union dns_query buff; unsigned char* p; unsigned char* end; + unsigned char* rd_end; static char rec_name[MAX_DNS_NAME]; /* placeholder for the record name */ int rec_name_len; unsigned short rtype, class, rdlength; @@ -593,10 +594,11 @@ again: memcpy((void*)&rdlength, (void*)p, 2); rdlength=ntohs(rdlength); p+=2; - if (unlikely((p+rdlength)>end)) goto error_boundary; + rd_end=p+rdlength; + if (unlikely((rd_end)>end)) goto error_boundary; if ((flags & RES_ONLY_TYPE) && (rtype!=type)){ /* skip */ - p+=rdlength; + p=rd_end; continue; } /* expand the "type" record (rdata)*/ @@ -639,7 +641,7 @@ again: } switch(rtype){ case T_SRV: - srv_rd= dns_srv_parser(buff.buff, end, p); + srv_rd= dns_srv_parser(buff.buff, rd_end, p); rd->rdata=(void*)srv_rd; if (unlikely(srv_rd==0)) goto error_parse; @@ -663,26 +665,26 @@ again: *crt=rd; break; case T_A: - rd->rdata=(void*) dns_a_parser(p,end); + rd->rdata=(void*) dns_a_parser(p, rd_end); if (unlikely(rd->rdata==0)) goto error_parse; *last=rd; /* last points to the last "next" or the list head*/ last=&(rd->next); break; case T_AAAA: - rd->rdata=(void*) dns_aaaa_parser(p,end); + rd->rdata=(void*) dns_aaaa_parser(p, rd_end); if (unlikely(rd->rdata==0)) goto error_parse; *last=rd; last=&(rd->next); break; case T_CNAME: - rd->rdata=(void*) dns_cname_parser(buff.buff, end, p); + rd->rdata=(void*) dns_cname_parser(buff.buff, rd_end, p); if(unlikely(rd->rdata==0)) goto error_parse; *last=rd; last=&(rd->next); break; case T_NAPTR: - rd->rdata=(void*) dns_naptr_parser(buff.buff, end, p); + rd->rdata=(void*) dns_naptr_parser(buff.buff, rd_end, p); if(unlikely(rd->rdata==0)) goto error_parse; *last=rd; last=&(rd->next);