[glib: 2/13] gthreadedresolver: Check header length when parsing response

From: Philip Withnall <pwithnall src gnome org>
To: commits-list gnome org
Cc:
Subject: [glib: 2/13] gthreadedresolver: Check header length when parsing response
Date: Tue, 22 Mar 2022 15:18:51 +0000 (UTC)


commit 263ca69da80eab0a2b8e3308a562675a8c643988
Author: Philip Withnall <pwithnall endlessos org>
Date:   Fri Mar 18 15:49:33 2022 +0000

    gthreadedresolver: Check header length when parsing response
    
    Otherwise we could read off the end of an invalid response.
    
    oss-fuzz#42538
    Signed-off-by: Philip Withnall <pwithnall endlessos org>

 gio/gthreadedresolver.c | 15 ++++++++++++++-
 1 file changed, 14 insertions(+), 1 deletion(-)
---
diff --git a/gio/gthreadedresolver.c b/gio/gthreadedresolver.c
index 48545d6ad5..3caa9f36e6 100644
--- a/gio/gthreadedresolver.c
+++ b/gio/gthreadedresolver.c
@@ -667,6 +667,7 @@ g_resolver_records_from_res_query (const gchar      *rrname,
   const HEADER *header;
   GList *records;
   GVariant *record;
+  gsize len_unsigned;
 
   if (len <= 0)
     {
@@ -689,11 +690,23 @@ g_resolver_records_from_res_query (const gchar      *rrname,
       return NULL;
     }
 
+  /* We know len ≥ 0 now. */
+  len_unsigned = (gsize) len;
+
+  if (len_unsigned < sizeof (HEADER))
+    {
+      g_set_error (error, G_RESOLVER_ERROR, G_RESOLVER_ERROR_INTERNAL,
+                   /* Translators: the first placeholder is a domain name, the
+                    * second is an error message */
+                   _("Error resolving “%s”: %s"), rrname, _("Malformed DNS packet"));
+      return NULL;
+    }
+
   records = NULL;
 
   header = (HEADER *)answer;
   p = answer + sizeof (HEADER);
-  end = answer + len;
+  end = answer + len_unsigned;
 
   /* Skip query */
   count = ntohs (header->qdcount);

[Date Prev][Date Next] [Thread Prev][Thread Next] [Thread Index] [Date Index] [Author Index]