DNS packet parsing: Slight fix when packet is truncated

If the packet is truncated, adns__findrr_anychk returns adns_s_ok,
setting *type_r to -1.  It does not guarantee to set the other
outputs.

So, in pap_findaddrs, check for this first, rather than perhaps
reading the uninitialised `ownermatched' value.

And in adns__procdgram check the type before checking the (technically
in this case undefined) class.

In practice there is no bug in actual compiled code, because in both
call sites another test will DTRT.  I don't think contemporary
compilers spot and exploit this bug for "optimisation".

Signed-off-by: Ian Jackson <ijackson@chiark.greenend.org.uk>

diff --git a/src/reply.c b/src/reply.c
index 0379ca441ff52f90feefdce6cf3dc333c7b808a7..ca0de2f4a3af07c217585d2f8585ece00075803b 100644 (file)
--- a/src/reply.c
+++ b/src/reply.c
@@ -340,8 +340,8 @@ void adns__procdgram(adns_state ads, const byte *dgram, int dglen,
                     &ownermatched);
     assert(!st); assert(rrtype != -1);
     if (rri < restartfrom ||
-       rrclass != DNS_CLASS_IN ||
        rrtype != (qu->answer->type & adns_rrt_typemask) ||
+       rrclass != DNS_CLASS_IN ||
        !ownermatched)
       continue;
     adns__update_expires(qu,ttl,now);

diff --git a/src/types.c b/src/types.c
index 65b9065947c7150b84051166320ce571bf06b6b2..78db1e2179d33b27151e1fc6f140fa264532c321 100644 (file)
--- a/src/types.c
+++ b/src/types.c
@@ -838,6 +838,7 @@ static adns_status pap_findaddrs(const parseinfo *pai, adns_rr_hostaddr *ha,
                            &type, &class, &ttl, &rdlen, &rdstart,
                            pai->dgram, pai->dglen, dmstart, &ownermatched);
     if (st) return st;
+    if (type==-1) continue;
     if (!ownermatched || class != DNS_CLASS_IN) continue;
     typef= addr_rrtypeflag(type);
     if (!(want & typef)) continue;