X-Git-Url: http://git.meshlink.io/?a=blobdiff_plain;f=avahi-core%2Fdns.c;h=41ccc8f3503c689e93ae6e612d22100f3656b3b5;hb=a4572037763c65ec34ac921a6e15b936c6525b5d;hp=b91ccd0b84dd671eeb0eb413d4fba1f63e11dac7;hpb=f6712902a92eb82b6c8d7e7fd0980a20a716fa0d;p=catta

diff --git a/avahi-core/dns.c b/avahi-core/dns.c
index b91ccd0..41ccc8f 100644
--- a/avahi-core/dns.c
+++ b/avahi-core/dns.c
@@ -23,13 +23,14 @@
 #include <config.h>
 #endif
 
-#include <netinet/in.h>
-
 #include <stdlib.h>
 #include <string.h>
 #include <stdio.h>
 #include <assert.h>
 
+#include <sys/types.h>
+#include <netinet/in.h>
+
 #include <avahi-common/defs.h>
 #include <avahi-common/domain.h>
 #include <avahi-common/malloc.h>
@@ -152,6 +153,19 @@ void avahi_dns_packet_inc_field(AvahiDnsPacket *p, unsigned idx) {
     avahi_dns_packet_set_field(p, idx, avahi_dns_packet_get_field(p, idx) + 1);
 }   
 
+
+static void name_table_cleanup(void *key, void *value, void *user_data) {
+    AvahiDnsPacket *p = user_data;
+    
+    if ((uint8_t*) value >= AVAHI_DNS_PACKET_DATA(p) + p->size)
+        avahi_hashmap_remove(p->name_table, key);
+}
+
+void avahi_dns_packet_cleanup_name_table(AvahiDnsPacket *p) {
+    if (p->name_table)
+        avahi_hashmap_foreach(p->name_table, name_table_cleanup, p);
+}
+
 uint8_t* avahi_dns_packet_append_name(AvahiDnsPacket *p, const char *name) {
     uint8_t *d, *saved_ptr = NULL;
     size_t saved_size;
@@ -215,6 +229,8 @@ uint8_t* avahi_dns_packet_append_name(AvahiDnsPacket *p, const char *name) {
 
 fail:
     p->size = saved_size;
+    avahi_dns_packet_cleanup_name_table(p);
+
     return NULL;
 }
 
@@ -322,7 +338,6 @@ int avahi_dns_packet_check_valid_multicast(AvahiDnsPacket *p) {
     return 0;
 }
 
-
 int avahi_dns_packet_is_query(AvahiDnsPacket *p) {
     assert(p);
     
@@ -333,9 +348,11 @@ static int consume_labels(AvahiDnsPacket *p, unsigned idx, char *ret_name, size_
     int ret = 0;
     int compressed = 0;
     int first_label = 1;
+    unsigned label_ptr;
+    int i;
     assert(p && ret_name && l);
     
-    for (;;) {
+    for (i = 0; i < AVAHI_DNS_LABELS_MAX; i++) {
         uint8_t n;
 
         if (idx+1 > p->size)
@@ -385,7 +402,12 @@ static int consume_labels(AvahiDnsPacket *p, unsigned idx, char *ret_name, size_
             if (idx+2 > p->size)
                 return -1;
 
-            idx = ((unsigned) (AVAHI_DNS_PACKET_DATA(p)[idx] & ~0xC0)) << 8 | AVAHI_DNS_PACKET_DATA(p)[idx+1];
+            label_ptr = ((unsigned) (AVAHI_DNS_PACKET_DATA(p)[idx] & ~0xC0)) << 8 | AVAHI_DNS_PACKET_DATA(p)[idx+1];
+
+            if ((label_ptr < AVAHI_DNS_PACKET_HEADER_SIZE) || (label_ptr >= idx))
+                return -1;
+
+            idx = label_ptr;
 
             if (!compressed)
                 ret += 2;
@@ -394,6 +416,8 @@ static int consume_labels(AvahiDnsPacket *p, unsigned idx, char *ret_name, size_
         } else
             return -1;
     }
+
+    return -1;
 }
 
 int avahi_dns_packet_consume_name(AvahiDnsPacket *p, char *ret_name, size_t l) {
@@ -580,6 +604,7 @@ static int parse_rdata(AvahiDnsPacket *p, AvahiRecord *r, uint16_t rdlength) {
             if (rdlength > 0) {
 
                 r->data.generic.data = avahi_memdup(avahi_dns_packet_get_rptr(p), rdlength);
+                r->data.generic.size = rdlength; 
                 
                 if (avahi_dns_packet_skip(p, rdlength) < 0)
                     return -1;
@@ -621,6 +646,9 @@ AvahiRecord* avahi_dns_packet_consume_record(AvahiDnsPacket *p, int *ret_cache_f
     
     if (parse_rdata(p, r, rdlength) < 0)
         goto fail;
+
+    if (!avahi_record_is_valid(r))
+        goto fail;
     
     return r;
 
@@ -634,6 +662,7 @@ fail:
 AvahiKey* avahi_dns_packet_consume_key(AvahiDnsPacket *p, int *ret_unicast_response) {
     char name[256];
     uint16_t type, class;
+    AvahiKey *k;
 
     assert(p);
 
@@ -647,7 +676,15 @@ AvahiKey* avahi_dns_packet_consume_key(AvahiDnsPacket *p, int *ret_unicast_respo
 
     class &= ~AVAHI_DNS_UNICAST_RESPONSE;
     
-    return avahi_key_new(name, class, type);
+    if (!(k = avahi_key_new(name, class, type)))
+        return NULL;
+
+    if (!avahi_key_is_valid(k)) {
+        avahi_key_unref(k);
+        return NULL;
+    }
+
+    return k;
 }
 
 uint8_t* avahi_dns_packet_append_key(AvahiDnsPacket *p, AvahiKey *k, int unicast_response) {
@@ -663,6 +700,8 @@ uint8_t* avahi_dns_packet_append_key(AvahiDnsPacket *p, AvahiKey *k, int unicast
         !avahi_dns_packet_append_uint16(p, k->type) ||
         !avahi_dns_packet_append_uint16(p, k->clazz | (unicast_response ? AVAHI_DNS_UNICAST_RESPONSE : 0))) {
         p->size = size;
+        avahi_dns_packet_cleanup_name_table(p);
+
         return NULL;
     }
 
@@ -733,7 +772,7 @@ static int append_rdata(AvahiDnsPacket *p, AvahiRecord *r) {
         default:
 
             if (r->data.generic.size)
-                if (avahi_dns_packet_append_bytes(p, r->data.generic.data, r->data.generic.size))
+                if (!avahi_dns_packet_append_bytes(p, r->data.generic.data, r->data.generic.size))
                     return -1;
 
             break;
@@ -765,7 +804,7 @@ uint8_t* avahi_dns_packet_append_record(AvahiDnsPacket *p, AvahiRecord *r, int c
         goto fail;
     
     size = avahi_dns_packet_extend(p, 0) - start;
-    assert(size <= 0xFFFF);
+    assert(size <= AVAHI_DNS_RDATA_MAX);
 
 /*     avahi_log_debug("appended %u", size); */
 
@@ -777,6 +816,8 @@ uint8_t* avahi_dns_packet_append_record(AvahiDnsPacket *p, AvahiRecord *r, int c
 
 fail:
     p->size = size;
+    avahi_dns_packet_cleanup_name_table(p);
+
     return NULL;
 }