[SR-Dev] git:ser_core_cvs: dns: more strict record end checking

Andrei Pelinescu-Onciul andrei at iptel.org
Mon Mar 30 20:50:42 CEST 2009 

Module: sip-router
Branch: ser_core_cvs
Commit: a73ecb4c33a829a1a08fbf04dc7483c79443ccfb
URL:    http://git.sip-router.org/cgi-bin/gitweb.cgi/sip-router/?a=commit;h=a73ecb4c33a829a1a08fbf04dc7483c79443ccfb

Author: Andrei Pelinescu-Onciul <andrei at iptel.org>
Committer: Andrei Pelinescu-Onciul <andrei at iptel.org>
Date:   Mon Mar 30 13:59:42 2009 +0000

dns: more strict record end checking

- be more strict and check always if a record doesn't exceed it's
  declared length (before we checked only if the end is inside the
  message).

---

 resolve.c |   16 +++++++++-------
 1 files changed, 9 insertions(+), 7 deletions(-)

diff --git a/resolve.c b/resolve.c
index b007918..9f55f3d 100644
--- a/resolve.c
+++ b/resolve.c
@@ -499,6 +499,7 @@ struct rdata* get_record(char* name, int type, int flags)
 	static union dns_query buff;
 	unsigned char* p;
 	unsigned char* end;
+	unsigned char* rd_end;
 	static char rec_name[MAX_DNS_NAME]; /* placeholder for the record name */
 	int rec_name_len;
 	unsigned short rtype, class, rdlength;
@@ -593,10 +594,11 @@ again:
 		memcpy((void*)&rdlength, (void*)p, 2);
 		rdlength=ntohs(rdlength);
 		p+=2;
-		if (unlikely((p+rdlength)>end)) goto error_boundary;
+		rd_end=p+rdlength;
+		if (unlikely((rd_end)>end)) goto error_boundary;
 		if ((flags & RES_ONLY_TYPE) && (rtype!=type)){
 			/* skip */
-			p+=rdlength;
+			p=rd_end;
 			continue;
 		}
 		/* expand the "type" record  (rdata)*/
@@ -639,7 +641,7 @@ again:
 		}
 		switch(rtype){
 			case T_SRV:
-				srv_rd= dns_srv_parser(buff.buff, end, p);
+				srv_rd= dns_srv_parser(buff.buff, rd_end, p);
 				rd->rdata=(void*)srv_rd;
 				if (unlikely(srv_rd==0)) goto error_parse;
 				
@@ -663,26 +665,26 @@ again:
 				*crt=rd;
 				break;
 			case T_A:
-				rd->rdata=(void*) dns_a_parser(p,end);
+				rd->rdata=(void*) dns_a_parser(p, rd_end);
 				if (unlikely(rd->rdata==0)) goto error_parse;
 				*last=rd; /* last points to the last "next" or the list
 							 	head*/
 				last=&(rd->next);
 				break;
 			case T_AAAA:
-				rd->rdata=(void*) dns_aaaa_parser(p,end);
+				rd->rdata=(void*) dns_aaaa_parser(p, rd_end);
 				if (unlikely(rd->rdata==0)) goto error_parse;
 				*last=rd;
 				last=&(rd->next);
 				break;
 			case T_CNAME:
-				rd->rdata=(void*) dns_cname_parser(buff.buff, end, p);
+				rd->rdata=(void*) dns_cname_parser(buff.buff, rd_end, p);
 				if(unlikely(rd->rdata==0)) goto error_parse;
 				*last=rd;
 				last=&(rd->next);
 				break;
 			case T_NAPTR:
-				rd->rdata=(void*) dns_naptr_parser(buff.buff, end, p);
+				rd->rdata=(void*) dns_naptr_parser(buff.buff, rd_end, p);
 				if(unlikely(rd->rdata==0)) goto error_parse;
 				*last=rd;
 				last=&(rd->next);

More information about the sr-dev mailing list