SECURITY: pap_mailbox822: Properly check st from adns__findlabel_next

Without this, an uninitialised stack value can be used as the first
label length.  Depending on the circumstances, an attacker might be
able to trick adns into crashing the calling program, leaking aspects
of the contents of some of its memory, causing it to allocate lots of
memory, or perhaps overrunning a buffer.

This is only possible with applications which make non-raw queries for
SOA or RP records.

Found by AFL 2.35b.  CVE-2017-9103.

Signed-off-by: Ian Jackson <ijackson@chiark.greenend.org.uk>

diff --git a/src/types.c b/src/types.c
index a4478fa369831a482e0e5a480bcf78d226c1fb39..5e2bd14d06082ce3d2b802b8cf83605675fb7a70 100644 (file)
--- a/src/types.c
+++ b/src/types.c
@@ -1278,6 +1278,7 @@ static adns_status pap_mailbox822(const parseinfo *pai,
                        pai->dgram, pai->dglen, max,
                        *cbyte_io, cbyte_io);
   st= adns__findlabel_next(&fls,&lablen,&labstart);
+  if (st) return st;
   if (!lablen) {
     adns__vbuf_appendstr(vb,".");
     goto x_ok;