From: Ian Jackson <ijackson@chiark.greenend.org.uk>
Date: Wed, 23 Nov 2016 21:03:40 +0000 (+0000)
Subject: SECURITY: pap_mailbox822: Properly check st from adns__findlabel_next
X-Git-Tag: adns-1.5.2~31
X-Git-Url: https://www.chiark.greenend.org.uk/ucgi/~ianmdlvl/git?a=commitdiff_plain;h=020d86e2eccc2dbdfa9dcca08ddb327cc7ca3ae2;hp=2f6e879e0fca1715d5c5946bcedb4f821ce64d77;p=adns.git

SECURITY: pap_mailbox822: Properly check st from adns__findlabel_next

Without this, an uninitialised stack value can be used as the first
label length.  Depending on the circumstances, an attacker might be
able to trick adns into crashing the calling program, leaking aspects
of the contents of some of its memory, causing it to allocate lots of
memory, or perhaps overrunning a buffer.

This is only possible with applications which make non-raw queries for
SOA or RP records.

Found by AFL 2.35b.  CVE-2017-9103.

Signed-off-by: Ian Jackson <ijackson@chiark.greenend.org.uk>
---

diff --git a/src/types.c b/src/types.c
index a4478fa..5e2bd14 100644
--- a/src/types.c
+++ b/src/types.c
@@ -1278,6 +1278,7 @@ static adns_status pap_mailbox822(const parseinfo *pai,
 			pai->dgram, pai->dglen, max,
 			*cbyte_io, cbyte_io);
   st= adns__findlabel_next(&fls,&lablen,&labstart);
+  if (st) return st;
   if (!lablen) {
     adns__vbuf_appendstr(vb,".");
     goto x_ok;