From d4b6031596d2b42d44ca120db72178d8a86fb658 Mon Sep 17 00:00:00 2001 From: Ian Jackson Date: Thu, 8 Dec 2016 18:58:40 +0000 Subject: [PATCH] DNS packet parsing: Slight fix when packet is truncated If the packet is truncated, adns__findrr_anychk returns adns_s_ok, setting *type_r to -1. It does not guarantee to set the other outputs. So, in pap_findaddrs, check for this first, rather than perhaps reading the uninitialised `ownermatched' value. And in adns__procdgram check the type before checking the (technically in this case undefined) class. In practice there is no bug in actual compiled code, because in both call sites another test will DTRT. I don't think contemporary compilers spot and exploit this bug for "optimisation". Signed-off-by: Ian Jackson --- src/reply.c | 2 +- src/types.c | 1 + 2 files changed, 2 insertions(+), 1 deletion(-) diff --git a/src/reply.c b/src/reply.c index 0379ca4..ca0de2f 100644 --- a/src/reply.c +++ b/src/reply.c @@ -340,8 +340,8 @@ void adns__procdgram(adns_state ads, const byte *dgram, int dglen, &ownermatched); assert(!st); assert(rrtype != -1); if (rri < restartfrom || - rrclass != DNS_CLASS_IN || rrtype != (qu->answer->type & adns_rrt_typemask) || + rrclass != DNS_CLASS_IN || !ownermatched) continue; adns__update_expires(qu,ttl,now); diff --git a/src/types.c b/src/types.c index 65b9065..78db1e2 100644 --- a/src/types.c +++ b/src/types.c @@ -838,6 +838,7 @@ static adns_status pap_findaddrs(const parseinfo *pai, adns_rr_hostaddr *ha, &type, &class, &ttl, &rdlen, &rdstart, pai->dgram, pai->dglen, dmstart, &ownermatched); if (st) return st; + if (type==-1) continue; if (!ownermatched || class != DNS_CLASS_IN) continue; typef= addr_rrtypeflag(type); if (!(want & typef)) continue; -- 2.30.2