From 020d86e2eccc2dbdfa9dcca08ddb327cc7ca3ae2 Mon Sep 17 00:00:00 2001
From: Ian Jackson <ijackson@chiark.greenend.org.uk>
Date: Wed, 23 Nov 2016 21:03:40 +0000
Subject: [PATCH] SECURITY: pap_mailbox822: Properly check st from
 adns__findlabel_next

Without this, an uninitialised stack value can be used as the first
label length.  Depending on the circumstances, an attacker might be
able to trick adns into crashing the calling program, leaking aspects
of the contents of some of its memory, causing it to allocate lots of
memory, or perhaps overrunning a buffer.

This is only possible with applications which make non-raw queries for
SOA or RP records.

Found by AFL 2.35b.  CVE-2017-9103.

Signed-off-by: Ian Jackson <ijackson@chiark.greenend.org.uk>
---
 src/types.c | 1 +
 1 file changed, 1 insertion(+)

diff --git a/src/types.c b/src/types.c
index a4478fa..5e2bd14 100644
--- a/src/types.c
+++ b/src/types.c
@@ -1278,6 +1278,7 @@ static adns_status pap_mailbox822(const parseinfo *pai,
 			pai->dgram, pai->dglen, max,
 			*cbyte_io, cbyte_io);
   st= adns__findlabel_next(&fls,&lablen,&labstart);
+  if (st) return st;
   if (!lablen) {
     adns__vbuf_appendstr(vb,".");
     goto x_ok;
-- 
2.30.2