prevent CNAME/PTR parsing from reading data past the response end

[musl] / src / network / getnameinfo.c

diff --git a/src/network/getnameinfo.c b/src/network/getnameinfo.c
index 84f5ed6..080d3c0 100644 (file)
--- a/src/network/getnameinfo.c
+++ b/src/network/getnameinfo.c
@@ -2,6 +2,7 @@
 #include <limits.h>
 #include <string.h>
 #include <stdio.h>
+#include <stdlib.h>
 #include <sys/socket.h>
 #include <netinet/in.h>
 #include <arpa/inet.h>
@@ -107,10 +108,10 @@ static void reverse_services(char *buf, int port, int dgram)
        __fclose_ca(f);
 }
 
-static int dns_parse_callback(void *c, int rr, const void *data, int len, const void *packet)
+static int dns_parse_callback(void *c, int rr, const void *data, int len, const void *packet, int plen)
 {
        if (rr != RR_PTR) return 0;
-       if (__dn_expand(packet, (const unsigned char *)packet + 512,
+       if (__dn_expand(packet, (const unsigned char *)packet + plen,
            data, c, 256) <= 0)
                *(char *)c = 0;
        return 0;
@@ -157,6 +158,7 @@ int getnameinfo(const struct sockaddr *restrict sa, socklen_t sl,
                        unsigned char query[18+PTR_MAX], reply[512];
                        int qlen = __res_mkquery(0, ptr, 1, RR_PTR,
                                0, 0, 0, query, sizeof query);
+                       query[3] = 0; /* don't need AD flag */
                        int rlen = __res_send(query, qlen, reply, sizeof reply);
                        buf[0] = 0;
                        if (rlen > 0)