[svn-commits] mmichelson: branch group/dns_naptr r433301 - /team/group/dns_naptr/main/

Mon, 23 Mar 2015 07:52:57 -0700 

Author: mmichelson
Date: Mon Mar 23 09:52:22 2015
New Revision: 433301

URL: http://svnview.digium.com/svn/asterisk?view=rev&rev=433301
Log:
Add aggressive boundary checking for NAPTR record allocation.


Modified:
    team/group/dns_naptr/main/dns_core.c

Modified: team/group/dns_naptr/main/dns_core.c
URL: 
http://svnview.digium.com/svn/asterisk/team/group/dns_naptr/main/dns_core.c?view=diff&rev=433301&r1=433300&r2=433301
==============================================================================
--- team/group/dns_naptr/main/dns_core.c (original)
+++ team/group/dns_naptr/main/dns_core.c Mon Mar 23 09:52:22 2015
@@ -444,6 +444,7 @@
        char *naptr_offset;
        char *naptr_search_base = (char *)query->result->answer;
        size_t remaining_size = query->result->answer_size;
+       char *end_of_record;
 
        /* 
         * This is bordering on the hackiest thing I've ever written.
@@ -481,33 +482,61 @@
 
        ast_assert(ptr != NULL);
 
+       end_of_record = ptr + size;
+
        /* ORDER */
        order = (ptr[1] << 0) | (ptr[0] << 8);
        ptr += 2;
 
+       if (ptr >= end_of_record) {
+               return NULL;
+       }
+
        /* PREFERENCE */
        preference = (ptr[1] << 0) | (ptr[0] << 8);
        ptr += 2;
 
+       if (ptr >= end_of_record) {
+               return NULL;
+       }
+
        /* FLAGS */
        flags_size = *ptr;
        ++ptr;
+       if (ptr >= end_of_record) {
+               return NULL;
+       }
        flags = ptr;
        ptr += flags_size;
+       if (ptr >= end_of_record) {
+               return NULL;
+       }
 
        /* SERVICES */
        services_size = *ptr;
        ++ptr;
+       if (ptr >= end_of_record) {
+               return NULL;
+       }
        services = ptr;
        ptr += services_size;
+       if (ptr >= end_of_record) {
+               return NULL;
+       }
 
        /* REGEXP */
        regexp_size = *ptr;
        ++ptr;
+       if (ptr >= end_of_record) {
+               return NULL;
+       }
        regexp = ptr;
        ptr += regexp_size;
-
-       replacement_size = dn_expand((unsigned char *)query->result->answer, 
(unsigned char *) (naptr_offset + size), (unsigned char *) ptr, replacement, 
sizeof(replacement) - 1);
+       if (ptr >= end_of_record) {
+               return NULL;
+       }
+
+       replacement_size = dn_expand((unsigned char *)query->result->answer, 
(unsigned char *) end_of_record, (unsigned char *) ptr, replacement, 
sizeof(replacement) - 1);
        if (replacement_size < 0) {
                ast_log(LOG_ERROR, "Failed to expand domain name: %s\n", 
strerror(errno));
                return NULL;


-- 
_____________________________________________________________________
-- Bandwidth and Colocation Provided by http://www.api-digital.com --

svn-commits mailing list
To UNSUBSCRIBE or update options visit:
   http://lists.digium.com/mailman/listinfo/svn-commits

Reply via email to