Browse code

dns: minor fixes

- some dns record parsers need only the record end for their
internal overflow checks, while others need also the message end
(anything that expands compressed strings).

Andrei Pelinescu-Onciul authored on 31/03/2009 17:06:00
Showing 1 changed files
... ...
@@ -230,6 +230,7 @@ unsigned char* dns_skipname(unsigned char* p, unsigned char* end)
230 230
 /* parses the srv record into a srv_rdata structure
231 231
  *   msg   - pointer to the dns message
232 232
  *   end   - pointer to the end of the message
233
+ *   eor   - pointer to the end of the record/rdata
233 234
  *   rdata - pointer  to the rdata part of the srv answer
234 235
  * returns 0 on error, or a dyn. alloc'ed srv_rdata structure */
235 236
 /* SRV rdata format:
... ...
@@ -248,6 +249,7 @@ unsigned char* dns_skipname(unsigned char* p, unsigned char* end)
248 249
  * +----------------+
249 250
  */
250 251
 struct srv_rdata* dns_srv_parser( unsigned char* msg, unsigned char* end,
252
+								  unsigned char* eor,
251 253
 								  unsigned char* rdata)
252 254
 {
253 255
 	struct srv_rdata* srv;
... ...
@@ -258,7 +260,7 @@ struct srv_rdata* dns_srv_parser( unsigned char* msg, unsigned char* end,
258 260
 	char name[MAX_DNS_NAME];
259 261
 	
260 262
 	srv=0;
261
-	if ((rdata+6+1)>end) goto error;
263
+	if ((rdata+6+1)>eor) goto error;
262 264
 	
263 265
 	memcpy((void*)&priority, rdata, 2);
264 266
 	memcpy((void*)&weight,   rdata+2, 2);
... ...
@@ -292,6 +294,7 @@ error:
292 294
 /* parses the naptr record into a naptr_rdata structure
293 295
  *   msg   - pointer to the dns message
294 296
  *   end   - pointer to the end of the message
297
+ *   eor   - pointer to the end of the record/rdata
295 298
  *   rdata - pointer  to the rdata part of the naptr answer
296 299
  * returns 0 on error, or a dyn. alloc'ed naptr_rdata structure */
297 300
 /* NAPTR rdata format:
... ...
@@ -316,7 +319,8 @@ error:
316 319
  * +----------------+
317 320
  */
318 321
 struct naptr_rdata* dns_naptr_parser( unsigned char* msg, unsigned char* end,
319
-								  unsigned char* rdata)
322
+										unsigned char* eor,
323
+										unsigned char* rdata)
320 324
 {
321 325
 	struct naptr_rdata* naptr;
322 326
 	unsigned char* flags;
... ...
@@ -331,20 +335,20 @@ struct naptr_rdata* dns_naptr_parser( unsigned char* msg, unsigned char* end,
331 335
 	char repl[MAX_DNS_NAME];
332 336
 	
333 337
 	naptr = 0;
334
-	if ((rdata + 7 + 1)>end) goto error;
338
+	if ((rdata + 7 + 1)>eor) goto error;
335 339
 	
336 340
 	memcpy((void*)&order, rdata, 2);
337 341
 	memcpy((void*)&pref, rdata + 2, 2);
338 342
 	flags_len = rdata[4];
339
-	if ((rdata + 7 + 1 +  flags_len) > end)
343
+	if ((rdata + 7 + 1 +  flags_len) > eor)
340 344
 		goto error;
341 345
 	flags=rdata+5;
342 346
 	services_len = rdata[5 + flags_len];
343
-	if ((rdata + 7 + 1 + flags_len + services_len) > end)
347
+	if ((rdata + 7 + 1 + flags_len + services_len) > eor)
344 348
 		goto error;
345 349
 	services=rdata + 6 + flags_len;
346 350
 	regexp_len = rdata[6 + flags_len + services_len];
347
-	if ((rdata + 7 +1 + flags_len + services_len + regexp_len) > end)
351
+	if ((rdata + 7 +1 + flags_len + services_len + regexp_len) > eor)
348 352
 		goto error;
349 353
 	regexp=rdata + 7 + flags_len + services_len;
350 354
 	rdata = rdata + 7 + flags_len + services_len + regexp_len;
... ...
@@ -418,11 +422,11 @@ error:
418 422
 /* parses an A record rdata into an a_rdata structure
419 423
  * returns 0 on error or a dyn. alloc'ed a_rdata struct
420 424
  */
421
-struct a_rdata* dns_a_parser(unsigned char* rdata, unsigned char* end)
425
+struct a_rdata* dns_a_parser(unsigned char* rdata, unsigned char* eor)
422 426
 {
423 427
 	struct a_rdata* a;
424 428
 	
425
-	if (rdata+4>end) goto error;
429
+	if (rdata+4>eor) goto error;
426 430
 	a=(struct a_rdata*)local_malloc(sizeof(struct a_rdata));
427 431
 	if (a==0){
428 432
 		LOG(L_ERR, "ERROR: dns_a_parser: out of memory\n");
... ...
@@ -438,11 +442,11 @@ error:
438 442
 
439 443
 /* parses an AAAA (ipv6) record rdata into an aaaa_rdata structure
440 444
  * returns 0 on error or a dyn. alloc'ed aaaa_rdata struct */
441
-struct aaaa_rdata* dns_aaaa_parser(unsigned char* rdata, unsigned char* end)
445
+struct aaaa_rdata* dns_aaaa_parser(unsigned char* rdata, unsigned char* eor)
442 446
 {
443 447
 	struct aaaa_rdata* aaaa;
444 448
 	
445
-	if (rdata+16>end) goto error;
449
+	if (rdata+16>eor) goto error;
446 450
 	aaaa=(struct aaaa_rdata*)local_malloc(sizeof(struct aaaa_rdata));
447 451
 	if (aaaa==0){
448 452
 		LOG(L_ERR, "ERROR: dns_aaaa_parser: out of memory\n");
... ...
@@ -641,7 +645,7 @@ again:
641 645
 		}
642 646
 		switch(rtype){
643 647
 			case T_SRV:
644
-				srv_rd= dns_srv_parser(buff.buff, rd_end, p);
648
+				srv_rd= dns_srv_parser(buff.buff, end, rd_end, p);
645 649
 				rd->rdata=(void*)srv_rd;
646 650
 				if (unlikely(srv_rd==0)) goto error_parse;
647 651
 				
... ...
@@ -678,13 +682,13 @@ again:
678 682
 				last=&(rd->next);
679 683
 				break;
680 684
 			case T_CNAME:
681
-				rd->rdata=(void*) dns_cname_parser(buff.buff, rd_end, p);
685
+				rd->rdata=(void*) dns_cname_parser(buff.buff, end, p);
682 686
 				if(unlikely(rd->rdata==0)) goto error_parse;
683 687
 				*last=rd;
684 688
 				last=&(rd->next);
685 689
 				break;
686 690
 			case T_NAPTR:
687
-				rd->rdata=(void*) dns_naptr_parser(buff.buff, rd_end, p);
691
+				rd->rdata=(void*)dns_naptr_parser(buff.buff, end, rd_end, p);
688 692
 				if(unlikely(rd->rdata==0)) goto error_parse;
689 693
 				*last=rd;
690 694
 				last=&(rd->next);