From: Daniel Wagner <wagi@monom.org>
To: connman@lists.linux.dev
Cc: Valery Kashcheev <v.kascheev@omp.ru>
Subject: [PATCH] dnsproxy: Check the length of buffers before memcpy
Date: Wed, 9 Jun 2021 09:59:35 +0200 [thread overview]
Message-ID: <20210609075935.21746-1-wagi@monom.org> (raw)
From: Valery Kashcheev <v.kascheev@omp.ru>
Fix using a stack-based buffer overflow attack by checking the length of
the ptr and uptr buffers.
Fix debug message output.
Fixes: CVE-2021-33833
---
src/dnsproxy.c | 20 +++++++++++---------
1 file changed, 11 insertions(+), 9 deletions(-)
diff --git a/src/dnsproxy.c b/src/dnsproxy.c
index de52df5ad0a0..38dbdd71e425 100644
--- a/src/dnsproxy.c
+++ b/src/dnsproxy.c
@@ -1788,17 +1788,15 @@ static char *uncompress(int16_t field_count, char *start, char *end,
* tmp buffer.
*/
- debug("pos %d ulen %d left %d name %s", pos, ulen,
- (int)(uncomp_len - (uptr - uncompressed)), uptr);
-
- ulen = strlen(name);
- if ((uptr + ulen + 1) > uncomp_end) {
+ ulen = strlen(name) + 1;
+ if ((uptr + ulen) > uncomp_end)
goto out;
- }
- strncpy(uptr, name, uncomp_len - (uptr - uncompressed));
+ strncpy(uptr, name, ulen);
+
+ debug("pos %d ulen %d left %d name %s", pos, ulen,
+ (int)(uncomp_end - (uptr + ulen)), uptr);
uptr += ulen;
- *uptr++ = '\0';
ptr += pos;
@@ -1841,7 +1839,7 @@ static char *uncompress(int16_t field_count, char *start, char *end,
} else if (dns_type == ns_t_a || dns_type == ns_t_aaaa) {
dlen = uptr[-2] << 8 | uptr[-1];
- if (ptr + dlen > end) {
+ if ((ptr + dlen) > end || (uptr + dlen) > uncomp_end) {
debug("data len %d too long", dlen);
goto out;
}
@@ -1880,6 +1878,10 @@ static char *uncompress(int16_t field_count, char *start, char *end,
* refresh interval, retry interval, expiration
* limit and minimum ttl). They are 20 bytes long.
*/
+ if ((uptr + 20) > uncomp_end || (ptr + 20) > end) {
+ debug("soa record too long");
+ goto out;
+ }
memcpy(uptr, ptr, 20);
uptr += 20;
ptr += 20;
--
2.31.1
next reply other threads:[~2021-06-09 7:59 UTC|newest]
Thread overview: 2+ messages / expand[flat|nested] mbox.gz Atom feed top
2021-06-09 7:59 Daniel Wagner [this message]
2021-06-09 8:00 ` [PATCH] dnsproxy: Check the length of buffers before memcpy Daniel Wagner
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=20210609075935.21746-1-wagi@monom.org \
--to=wagi@monom.org \
--cc=connman@lists.linux.dev \
--cc=v.kascheev@omp.ru \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).