Fix out-of-bounds memory access in DNS TXT record parser.

The datalen variable is declared unsigned.  If txtlen and datalen are equal,
datalen will first be reduced to 0, and then the datalen-- line will cause its
value to wrap to 65535.  This will cause the loop to continue much longer than
intended, and eventually may crash on an out-of-bounds *tdata dereference.

Signed-off-by: Aaron Campbell <aaron@monkey.org>
pull/1762/head
Aaron Campbell 10 years ago committed by Victor Julien
parent 4dfbc0effa
commit 50f4fb2a72

@ -979,7 +979,7 @@ const uint8_t *DNSReponseParse(DNSState *dns_state, const DNSHeader * const dns_
do {
//PrintRawDataFp(stdout, (uint8_t*)tdata, txtlen);
if (txtlen > datalen)
if (txtlen >= datalen)
goto bad_data;
DNSStoreAnswerInState(dns_state, list, fqdn, fqdn_len,

Loading…
Cancel
Save