From bc552102ad0ba14eaf83a93a5119f316fa6481f5 Mon Sep 17 00:00:00 2001 From: Remi Gacogne Date: Wed, 5 Dec 2018 17:57:49 +0100 Subject: [PATCH] BUG: dns: Fix out-of-bounds read via signedness error in dns_validate_dns_response() Since the data_len field of the dns_answer_item struct was an int16_t, record length values larger than 2^15-1 were causing an integer overflow and thus may have been interpreted as negative, making us read well before the beginning of the buffer. This might have led to information disclosure or a crash. To be backported to 1.8, probably also 1.7. --- include/types/dns.h | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/include/types/dns.h b/include/types/dns.h index d7afe02cd..0ebe380b0 100644 --- a/include/types/dns.h +++ b/include/types/dns.h @@ -145,7 +145,7 @@ struct dns_answer_item { int16_t priority; /* SRV type priority */ uint16_t weight; /* SRV type weight */ int16_t port; /* SRV type port */ - int16_t data_len; /* number of bytes in target below */ + uint16_t data_len; /* number of bytes in target below */ struct sockaddr address; /* IPv4 or IPv6, network format */ char target[DNS_MAX_NAME_SIZE]; /* Response data: SRV or CNAME type target */ time_t last_seen; /* When was the answer was last seen */