Merge pull request from GHSA-q9cp-8wcq-7pfr

* Prevent heap buffer overflow when parsing DNS packet * Fixed incorrect check in get_name*()
pjsip · Mar 14, 2023 · d1c5e4d · d1c5e4d · taladrane · Mar 17, 2023
1 parent 5e2d564
commit d1c5e4d
Showing 1 changed file with 12 additions and 0 deletions.
diff --git a/pjlib-util/src/pjlib-util/dns.c b/pjlib-util/src/pjlib-util/dns.c
@@ -127,6 +127,9 @@ static pj_status_t get_name_len(int rec_counter, const pj_uint8_t *pkt,
         return PJLIB_UTIL_EDNSINNAMEPTR;
     }
 
+    if (start >= max)
+        return PJLIB_UTIL_EDNSINNAMEPTR;
+
     *name_len = *parsed_len = 0;
     p = start;
     while (*p) {
@@ -199,6 +202,9 @@ static pj_status_t get_name(int rec_counter, const pj_uint8_t *pkt,
         return PJLIB_UTIL_EDNSINNAMEPTR;
     }
 
+    if (start >= max)
+        return PJLIB_UTIL_EDNSINNAMEPTR;
+
     p = start;
     while (*p) {
         if ((*p & 0xc0) == 0xc0) {
@@ -359,10 +365,14 @@ static pj_status_t parse_rr(pj_dns_parsed_rr *rr, pj_pool_t *pool,
 
     /* Parse some well known records */
     if (rr->type == PJ_DNS_TYPE_A) {
+        if (p + 4 > max)
+            return PJLIB_UTIL_EDNSINSIZE;
         pj_memcpy(&rr->rdata.a.ip_addr, p, 4);
         p += 4;
 
     } else if (rr->type == PJ_DNS_TYPE_AAAA) {
+        if (p + 16 > max)
+            return PJLIB_UTIL_EDNSINSIZE;
         pj_memcpy(&rr->rdata.aaaa.ip_addr, p, 16);
         p += 16;
 
@@ -388,6 +398,8 @@ static pj_status_t parse_rr(pj_dns_parsed_rr *rr, pj_pool_t *pool,
         p += name_part_len;
 
     } else if (rr->type == PJ_DNS_TYPE_SRV) {
+        if (p + 6 > max)
+            return PJLIB_UTIL_EDNSINSIZE;
 
         /* Priority */
         pj_memcpy(&rr->rdata.srv.prio, p, 2);