X-Git-Url: http://git.meshlink.io/?a=blobdiff_plain;f=avahi-core%2Fdns.c;h=0206ec767271227fb37fb0ad85daa937b3e69d55;hb=7b2cfb7ec3c22b16615d4dfb37bdf08f85f31bad;hp=d237d55ab1de23623ca7b48648d67f6cf4de7c96;hpb=20011324500a728851e4888c890a756ecf71394b;p=catta diff --git a/avahi-core/dns.c b/avahi-core/dns.c index d237d55..0206ec7 100644 --- a/avahi-core/dns.c +++ b/avahi-core/dns.c @@ -23,13 +23,15 @@ #include #endif -#include - #include #include #include #include +#include +#include + +#include #include #include @@ -321,7 +323,6 @@ int avahi_dns_packet_check_valid_multicast(AvahiDnsPacket *p) { return 0; } - int avahi_dns_packet_is_query(AvahiDnsPacket *p) { assert(p); @@ -332,9 +333,11 @@ static int consume_labels(AvahiDnsPacket *p, unsigned idx, char *ret_name, size_ int ret = 0; int compressed = 0; int first_label = 1; + unsigned label_ptr; + int i; assert(p && ret_name && l); - for (;;) { + for (i = 0; i < AVAHI_DNS_LABELS_MAX; i++) { uint8_t n; if (idx+1 > p->size) @@ -384,7 +387,12 @@ static int consume_labels(AvahiDnsPacket *p, unsigned idx, char *ret_name, size_ if (idx+2 > p->size) return -1; - idx = ((unsigned) (AVAHI_DNS_PACKET_DATA(p)[idx] & ~0xC0)) << 8 | AVAHI_DNS_PACKET_DATA(p)[idx+1]; + label_ptr = ((unsigned) (AVAHI_DNS_PACKET_DATA(p)[idx] & ~0xC0)) << 8 | AVAHI_DNS_PACKET_DATA(p)[idx+1]; + + if ((label_ptr < AVAHI_DNS_PACKET_HEADER_SIZE) || (label_ptr >= idx)) + return -1; + + idx = label_ptr; if (!compressed) ret += 2; @@ -393,6 +401,8 @@ static int consume_labels(AvahiDnsPacket *p, unsigned idx, char *ret_name, size_ } else return -1; } + + return -1; } int avahi_dns_packet_consume_name(AvahiDnsPacket *p, char *ret_name, size_t l) { @@ -579,6 +589,7 @@ static int parse_rdata(AvahiDnsPacket *p, AvahiRecord *r, uint16_t rdlength) { if (rdlength > 0) { r->data.generic.data = avahi_memdup(avahi_dns_packet_get_rptr(p), rdlength); + r->data.generic.size = rdlength; if (avahi_dns_packet_skip(p, rdlength) < 0) return -1; @@ -620,6 +631,9 @@ AvahiRecord* avahi_dns_packet_consume_record(AvahiDnsPacket *p, int *ret_cache_f if (parse_rdata(p, r, rdlength) < 0) goto fail; + + if (!avahi_record_is_valid(r)) + goto fail; return r; @@ -633,6 +647,7 @@ fail: AvahiKey* avahi_dns_packet_consume_key(AvahiDnsPacket *p, int *ret_unicast_response) { char name[256]; uint16_t type, class; + AvahiKey *k; assert(p); @@ -646,7 +661,15 @@ AvahiKey* avahi_dns_packet_consume_key(AvahiDnsPacket *p, int *ret_unicast_respo class &= ~AVAHI_DNS_UNICAST_RESPONSE; - return avahi_key_new(name, class, type); + if (!(k = avahi_key_new(name, class, type))) + return NULL; + + if (!avahi_key_is_valid(k)) { + avahi_key_unref(k); + return NULL; + } + + return k; } uint8_t* avahi_dns_packet_append_key(AvahiDnsPacket *p, AvahiKey *k, int unicast_response) { @@ -732,7 +755,7 @@ static int append_rdata(AvahiDnsPacket *p, AvahiRecord *r) { default: if (r->data.generic.size) - if (avahi_dns_packet_append_bytes(p, r->data.generic.data, r->data.generic.size)) + if (!avahi_dns_packet_append_bytes(p, r->data.generic.data, r->data.generic.size)) return -1; break; @@ -764,7 +787,7 @@ uint8_t* avahi_dns_packet_append_record(AvahiDnsPacket *p, AvahiRecord *r, int c goto fail; size = avahi_dns_packet_extend(p, 0) - start; - assert(size <= 0xFFFF); + assert(size <= AVAHI_DNS_RDATA_MAX); /* avahi_log_debug("appended %u", size); */