From 2fbaeb9694216b223b564c37f7b9e673caba8243 Mon Sep 17 00:00:00 2001
From: Tim Ledbetter <timledbetter@gmail.com>
Date: Thu, 2 Nov 2023 20:11:39 +0000
Subject: [PATCH] LibDNS: Prevent malformed DNS packets from causing buffer
 overflows

---
 Userland/Libraries/LibDNS/Packet.cpp | 8 ++++++++
 1 file changed, 8 insertions(+)

diff --git a/Userland/Libraries/LibDNS/Packet.cpp b/Userland/Libraries/LibDNS/Packet.cpp
index 8f43ffb2ba..0671dc72d1 100644
--- a/Userland/Libraries/LibDNS/Packet.cpp
+++ b/Userland/Libraries/LibDNS/Packet.cpp
@@ -128,6 +128,9 @@ Optional<Packet> Packet::from_raw_packet(ReadonlyBytes bytes)
             NetworkOrdered<u16> record_type;
             NetworkOrdered<u16> class_code;
         };
+        if (offset >= bytes.size() || bytes.size() - offset < sizeof(RawDNSAnswerQuestion))
+            return {};
+
         auto const& record_and_class = *bit_cast<RawDNSAnswerQuestion const*>(bytes.offset_pointer(offset));
         u16 class_code = record_and_class.class_code & ~MDNS_WANTS_UNICAST_RESPONSE;
         bool mdns_wants_unicast_response = record_and_class.class_code & MDNS_WANTS_UNICAST_RESPONSE;
@@ -139,8 +142,13 @@ Optional<Packet> Packet::from_raw_packet(ReadonlyBytes bytes)
 
     for (u16 i = 0; i < header.answer_count(); ++i) {
         auto name = Name::parse(bytes, offset);
+        if (offset >= bytes.size() || bytes.size() - offset < sizeof(DNSRecordWithoutName))
+            return {};
+
         auto const& record = *bit_cast<DNSRecordWithoutName const*>(bytes.offset_pointer(offset));
         offset += sizeof(DNSRecordWithoutName);
+        if (record.data_length() > bytes.size() - offset)
+            return {};
 
         DeprecatedString data;