nsz Git - musl/commit

author	Alexey Izbyshev <izbyshev@ispras.ru>
	Fri, 27 Jan 2023 21:17:37 +0000 (00:17 +0300)
committer	Rich Felker <dalias@aerifal.cx>
	Mon, 27 Feb 2023 15:01:29 +0000 (10:01 -0500)
commit	12590c8bbd04ea484cee86812e2258fbdfca0e59
tree	5f844f3a3ff128794c4bcc0cd73de2f3fadd3a61	tree \| snapshot
parent	bc695a5ac1d7929e5c1ad5297eb47e146cccd157	commit \| diff

fix out-of-bounds reads in __dns_parse

There are several issues with range checks in this function:

* The question section parsing loop can read up to two out-of-bounds
  bytes before doing the range check and bailing out.

* The answer section parsing loop, in addition to the same issue as
  above, uses the wrong length in the range check that doesn't prevent
  OOB reads when computing len later.

* The len range check before calling the callback is off by 10. Also,
  p+len can overflow in a (probably theoretical) case when p is within
  2^16 from UINTPTR_MAX.

Because __dns_parse is used only with stack-allocated buffers, such
small overreads can't result in a segfault. The first two also don't
affect the function result, but the last one may result in getaddrinfo
incorrectly succeeding and returning up to 10 bytes past the
response buffer as a part of the IP address, and in (canon) name
returned by getaddrinfo/getnameinfo being affected by memory past the
response buffer (because dn_expand might interpret it as a pointer).