37 lines
1.2 KiB
Diff
37 lines
1.2 KiB
Diff
From efbbdf72992cd20458259962346044cafd9331c0 Mon Sep 17 00:00:00 2001
|
|
From: Remi Gacogne <remi.gacogne@powerdns.com>
|
|
Date: Wed, 5 Dec 2018 17:56:29 +0100
|
|
Subject: [PATCH] BUG: dns: Prevent out-of-bounds read in
|
|
dns_validate_dns_response()
|
|
|
|
We need to make sure that the record length is not making us read
|
|
past the end of the data we received.
|
|
Before this patch we could for example read the 16 bytes
|
|
corresponding to an AAAA record from the non-initialized part of
|
|
the buffer, possibly accessing anything that was left on the stack,
|
|
or even past the end of the 8193-byte buffer, depending on the
|
|
value of accepted_payload_size.
|
|
|
|
To be backported to 1.8, probably also 1.7.
|
|
---
|
|
src/dns.c | 5 +++++
|
|
1 file changed, 5 insertions(+)
|
|
|
|
Index: haproxy-1.8.13/src/dns.c
|
|
===================================================================
|
|
--- haproxy-1.8.13.orig/src/dns.c
|
|
+++ haproxy-1.8.13/src/dns.c
|
|
@@ -798,6 +798,11 @@ static int dns_validate_dns_response(uns
|
|
/* Move forward 2 bytes for data len */
|
|
reader += 2;
|
|
|
|
+ if (reader + dns_answer_record->data_len >= bufend) {
|
|
+ pool_free(dns_answer_item_pool, dns_answer_record);
|
|
+ return DNS_RESP_INVALID;
|
|
+ }
|
|
+
|
|
/* Analyzing record content */
|
|
switch (dns_answer_record->type) {
|
|
case DNS_RTYPE_A:
|
|
|