RGBCube/serenity
1
Fork 0
mirror of https://github.com/RGBCube/serenity synced 2025-07-27 00:57:45 +00:00
Code Issues Activity Actions

LibDNS: Prevent malformed DNS packets from causing buffer overflows

Browse source
This commit is contained in:
Tim Ledbetter 2023-11-02 20:11:39 +00:00 committed by Andreas Kling
parent 4e3b59a4bb
commit 2fbaeb9694
1 changed files with 8 additions and 0 deletions
Download patch file Download diff file Expand all files Collapse all files

8
Userland/Libraries/LibDNS/Packet.cpp
View file

@ -128,6 +128,9 @@ Optional<Packet> Packet::from_raw_packet(ReadonlyBytes bytes)
NetworkOrdered<u16> record_type; NetworkOrdered<u16> record_type;
NetworkOrdered<u16> class_code; NetworkOrdered<u16> class_code;
}; };
if (offset >= bytes.size() || bytes.size() - offset < sizeof(RawDNSAnswerQuestion))
return {};
auto const& record_and_class = *bit_cast<RawDNSAnswerQuestion const*>(bytes.offset_pointer(offset)); auto const& record_and_class = *bit_cast<RawDNSAnswerQuestion const*>(bytes.offset_pointer(offset));
u16 class_code = record_and_class.class_code & ~MDNS_WANTS_UNICAST_RESPONSE; u16 class_code = record_and_class.class_code & ~MDNS_WANTS_UNICAST_RESPONSE;
bool mdns_wants_unicast_response = record_and_class.class_code & MDNS_WANTS_UNICAST_RESPONSE; bool mdns_wants_unicast_response = record_and_class.class_code & MDNS_WANTS_UNICAST_RESPONSE;
@ -139,8 +142,13 @@ Optional<Packet> Packet::from_raw_packet(ReadonlyBytes bytes)
for (u16 i = 0; i < header.answer_count(); ++i) { for (u16 i = 0; i < header.answer_count(); ++i) {
auto name = Name::parse(bytes, offset); auto name = Name::parse(bytes, offset);
if (offset >= bytes.size() || bytes.size() - offset < sizeof(DNSRecordWithoutName))
return {};
auto const& record = *bit_cast<DNSRecordWithoutName const*>(bytes.offset_pointer(offset)); auto const& record = *bit_cast<DNSRecordWithoutName const*>(bytes.offset_pointer(offset));
offset += sizeof(DNSRecordWithoutName); offset += sizeof(DNSRecordWithoutName);
if (record.data_length() > bytes.size() - offset)
return {};
DeprecatedString data; DeprecatedString data;