[asterisk-commits] mmichelson: branch group/dns_naptr r433301 - /team/group/dns_naptr/main/

SVN commits to the Asterisk project asterisk-commits at lists.digium.com
Mon Mar 23 09:52:24 CDT 2015 

Author: mmichelson
Date: Mon Mar 23 09:52:22 2015
New Revision: 433301

URL: http://svnview.digium.com/svn/asterisk?view=rev&rev=433301
Log:
Add aggressive boundary checking for NAPTR record allocation.


Modified:
    team/group/dns_naptr/main/dns_core.c

Modified: team/group/dns_naptr/main/dns_core.c
URL: http://svnview.digium.com/svn/asterisk/team/group/dns_naptr/main/dns_core.c?view=diff&rev=433301&r1=433300&r2=433301
==============================================================================
--- team/group/dns_naptr/main/dns_core.c (original)
+++ team/group/dns_naptr/main/dns_core.c Mon Mar 23 09:52:22 2015
@@ -444,6 +444,7 @@
 	char *naptr_offset;
 	char *naptr_search_base = (char *)query->result->answer;
 	size_t remaining_size = query->result->answer_size;
+	char *end_of_record;
 
 	/* 
 	 * This is bordering on the hackiest thing I've ever written.
@@ -481,33 +482,61 @@
 
 	ast_assert(ptr != NULL);
 
+	end_of_record = ptr + size;
+
 	/* ORDER */
 	order = (ptr[1] << 0) | (ptr[0] << 8);
 	ptr += 2;
 
+	if (ptr >= end_of_record) {
+		return NULL;
+	}
+
 	/* PREFERENCE */
 	preference = (ptr[1] << 0) | (ptr[0] << 8);
 	ptr += 2;
 
+	if (ptr >= end_of_record) {
+		return NULL;
+	}
+
 	/* FLAGS */
 	flags_size = *ptr;
 	++ptr;
+	if (ptr >= end_of_record) {
+		return NULL;
+	}
 	flags = ptr;
 	ptr += flags_size;
+	if (ptr >= end_of_record) {
+		return NULL;
+	}
 
 	/* SERVICES */
 	services_size = *ptr;
 	++ptr;
+	if (ptr >= end_of_record) {
+		return NULL;
+	}
 	services = ptr;
 	ptr += services_size;
+	if (ptr >= end_of_record) {
+		return NULL;
+	}
 
 	/* REGEXP */
 	regexp_size = *ptr;
 	++ptr;
+	if (ptr >= end_of_record) {
+		return NULL;
+	}
 	regexp = ptr;
 	ptr += regexp_size;
-
-	replacement_size = dn_expand((unsigned char *)query->result->answer, (unsigned char *) (naptr_offset + size), (unsigned char *) ptr, replacement, sizeof(replacement) - 1);
+	if (ptr >= end_of_record) {
+		return NULL;
+	}
+
+	replacement_size = dn_expand((unsigned char *)query->result->answer, (unsigned char *) end_of_record, (unsigned char *) ptr, replacement, sizeof(replacement) - 1);
 	if (replacement_size < 0) {
 		ast_log(LOG_ERROR, "Failed to expand domain name: %s\n", strerror(errno));
 		return NULL;

More information about the asterisk-commits mailing list