diff options
author | Lorenzo Colitti <lorenzo@google.com> | 2017-08-15 14:44:49 +0900 |
---|---|---|
committer | Dan Pasanen <dan.pasanen@gmail.com> | 2017-10-02 17:20:08 -0500 |
commit | 0b7daf3ad113879a92de1f1801f14ecdb7deaa90 (patch) | |
tree | 41734e6511591b3269984ff71ea8511e870e5acf | |
parent | ca135c12abf76ce217b89c82d6040c2afa4f6648 (diff) | |
download | android_external_dnsmasq-0b7daf3ad113879a92de1f1801f14ecdb7deaa90.tar.gz android_external_dnsmasq-0b7daf3ad113879a92de1f1801f14ecdb7deaa90.tar.bz2 android_external_dnsmasq-0b7daf3ad113879a92de1f1801f14ecdb7deaa90.zip |
Make dnsmasq more stable.
1. Fix the length check in extract_name.
2. Add a size check to answer_request.
Bug: 64575136
Test: builds
Test: wifi tethering works
Change-Id: Ie38321ab02b7cfdc603958a884cd8f37724fedcc
(cherry picked from commit f25df861463c07908f39d9b43fe8888a4b31e848)
-rwxr-xr-x | src/rfc1035.c | 5 |
1 files changed, 4 insertions, 1 deletions
diff --git a/src/rfc1035.c b/src/rfc1035.c index 8ae0bfa..265e4df 100755 --- a/src/rfc1035.c +++ b/src/rfc1035.c @@ -48,7 +48,7 @@ static int extract_name(HEADER *header, size_t plen, unsigned char **pp, /* end marker */ { /* check that there are the correct no of bytes after the name */ - if (!CHECK_LEN(header, p, plen, extrabytes)) + if (!CHECK_LEN(header, p1 ? p1 : p, plen, extrabytes)) return 0; if (isExtract) @@ -1142,6 +1142,9 @@ size_t answer_request(HEADER *header, char *limit, size_t qlen, struct crec *crecp; int nxdomain = 0, auth = 1, trunc = 0; struct mx_srv_record *rec; + + // Make sure we do not underflow here too. + if (qlen > (limit - ((char *)header))) return 0; /* If there is an RFC2671 pseudoheader then it will be overwritten by partial replies, so we have to do a dry run to see if we can answer |