From 50dee79bfbe0782a342ef864b28d7d6613c0b1fb Mon Sep 17 00:00:00 2001 From: Lennart Poettering Date: Mon, 30 Nov 2015 19:39:19 +0100 Subject: dns-domain: check resulting domain name length in dns_name_to_wire_format() Let's better be safe than sorry. --- src/shared/dns-domain.c | 19 +++++++++++++++---- 1 file changed, 15 insertions(+), 4 deletions(-) (limited to 'src/shared/dns-domain.c') diff --git a/src/shared/dns-domain.c b/src/shared/dns-domain.c index ba6eff8f60..03c0107308 100644 --- a/src/shared/dns-domain.c +++ b/src/shared/dns-domain.c @@ -864,7 +864,7 @@ bool dns_name_is_single_label(const char *name) { return dns_name_is_root(name); } -/* Encode a domain name according to RFC 1035 Section 3.1 */ +/* Encode a domain name according to RFC 1035 Section 3.1, without compression */ int dns_name_to_wire_format(const char *domain, uint8_t *buffer, size_t len) { uint8_t *label_length, *out; int r; @@ -875,24 +875,35 @@ int dns_name_to_wire_format(const char *domain, uint8_t *buffer, size_t len) { out = buffer; do { - /* reserve a byte for label length */ + /* Reserve a byte for label length */ if (len <= 0) return -ENOBUFS; len--; label_length = out; out++; - /* convert and copy a single label */ + /* Convert and copy a single label. Note that + * dns_label_unescape() returns 0 when it hits the end + * of the domain name, which we rely on here to encode + * the trailing NUL byte. */ r = dns_label_unescape(&domain, (char *) out, len); if (r < 0) return r; - /* fill label length, move forward */ + /* Fill label length, move forward */ *label_length = r; out += r; len -= r; + } while (r != 0); + /* Verify the maximum size of the encoded name. The trailing + * dot + NUL byte account are included this time, hence + * compare against DNS_HOSTNAME_MAX + 2 (which is 255) this + * time. */ + if (out - buffer > DNS_HOSTNAME_MAX + 2) + return -EINVAL; + return out - buffer; } -- cgit v1.2.3-54-g00ecf