This is an automated email from the ASF dual-hosted git repository.
acassis pushed a commit to branch master
in repository https://gitbox.apache.org/repos/asf/nuttx.git
The following commit(s) were added to refs/heads/master by this push:
new 805169cebd0 libs/netdb: Fix dns_recv_response() to dns_answer_s size
805169cebd0 is described below
commit 805169cebd0a09c3dd0d50962fd063a7235e1d99
Author: Alan Carvalho de Assis <[email protected]>
AuthorDate: Sun May 3 11:01:32 2026 -0300
libs/netdb: Fix dns_recv_response() to dns_answer_s size
This commit avoid that dns_recv_response() accepts fewer tha 10 bytes
that could end up with an OOB read.
Signed-off-by: Alan C. Assis <[email protected]>
---
libs/libc/netdb/lib_dnsquery.c | 13 +++++++++++++
1 file changed, 13 insertions(+)
diff --git a/libs/libc/netdb/lib_dnsquery.c b/libs/libc/netdb/lib_dnsquery.c
index 57bf6575fc7..51740ce58d4 100644
--- a/libs/libc/netdb/lib_dnsquery.c
+++ b/libs/libc/netdb/lib_dnsquery.c
@@ -694,6 +694,19 @@ static int dns_recv_response(int sd, FAR union dns_addr_u
*addr, int naddr,
break;
}
+ /* Verify that a complete answer header (10 bytes: type, class,
+ * ttl[2], len) is available before casting to dns_answer_s.
+ * Without this check, accessing ans->ttl and ans->type/class/len
+ * would be an OOB read if fewer than 10 bytes remain.
+ */
+
+ if (nameptr + sizeof(struct dns_answer_s) > endofbuffer)
+ {
+ ret = -EILSEQ;
+ nwarn("DNS answer header truncated\n");
+ break;
+ }
+
ans = (FAR struct dns_answer_s *)nameptr;
ninfo("Answer: type=%04x, class=%04x, ttl=%06x, length=%04x\n",
