Browse code

dns: minor fixes

- some dns record parsers need only the record end for their
internal overflow checks, while others need also the message end
(anything that expands compressed strings).

Andrei Pelinescu-Onciul authored on 31/03/2009 17:06:00
Showing 1 changed files
... ...
@@ -230,6 +230,7 @@ unsigned char* dns_skipname(unsigned char* p, unsigned char* end)
230 230
 /* parses the srv record into a srv_rdata structure
231 231
  *   msg   - pointer to the dns message
232 232
  *   end   - pointer to the end of the message
233
+ *   eor   - pointer to the end of the record/rdata
233 234
  *   rdata - pointer  to the rdata part of the srv answer
234 235
  * returns 0 on error, or a dyn. alloc'ed srv_rdata structure */
235 236
 /* SRV rdata format:
... ...
@@ -248,6 +249,7 @@ unsigned char* dns_skipname(unsigned char* p, unsigned char* end)
248 248
  * +----------------+
249 249
  */
250 250
 struct srv_rdata* dns_srv_parser( unsigned char* msg, unsigned char* end,
251
+								  unsigned char* eor,
251 252
 								  unsigned char* rdata)
252 253
 {
253 254
 	struct srv_rdata* srv;
... ...
@@ -258,7 +260,7 @@ struct srv_rdata* dns_srv_parser( unsigned char* msg, unsigned char* end,
258 258
 	char name[MAX_DNS_NAME];
259 259
 	
260 260
 	srv=0;
261
-	if ((rdata+6+1)>end) goto error;
261
+	if ((rdata+6+1)>eor) goto error;
262 262
 	
263 263
 	memcpy((void*)&priority, rdata, 2);
264 264
 	memcpy((void*)&weight,   rdata+2, 2);
... ...
@@ -292,6 +294,7 @@ error:
292 292
 /* parses the naptr record into a naptr_rdata structure
293 293
  *   msg   - pointer to the dns message
294 294
  *   end   - pointer to the end of the message
295
+ *   eor   - pointer to the end of the record/rdata
295 296
  *   rdata - pointer  to the rdata part of the naptr answer
296 297
  * returns 0 on error, or a dyn. alloc'ed naptr_rdata structure */
297 298
 /* NAPTR rdata format:
... ...
@@ -316,7 +319,8 @@ error:
316 316
  * +----------------+
317 317
  */
318 318
 struct naptr_rdata* dns_naptr_parser( unsigned char* msg, unsigned char* end,
319
-								  unsigned char* rdata)
319
+										unsigned char* eor,
320
+										unsigned char* rdata)
320 321
 {
321 322
 	struct naptr_rdata* naptr;
322 323
 	unsigned char* flags;
... ...
@@ -331,20 +335,20 @@ struct naptr_rdata* dns_naptr_parser( unsigned char* msg, unsigned char* end,
331 331
 	char repl[MAX_DNS_NAME];
332 332
 	
333 333
 	naptr = 0;
334
-	if ((rdata + 7 + 1)>end) goto error;
334
+	if ((rdata + 7 + 1)>eor) goto error;
335 335
 	
336 336
 	memcpy((void*)&order, rdata, 2);
337 337
 	memcpy((void*)&pref, rdata + 2, 2);
338 338
 	flags_len = rdata[4];
339
-	if ((rdata + 7 + 1 +  flags_len) > end)
339
+	if ((rdata + 7 + 1 +  flags_len) > eor)
340 340
 		goto error;
341 341
 	flags=rdata+5;
342 342
 	services_len = rdata[5 + flags_len];
343
-	if ((rdata + 7 + 1 + flags_len + services_len) > end)
343
+	if ((rdata + 7 + 1 + flags_len + services_len) > eor)
344 344
 		goto error;
345 345
 	services=rdata + 6 + flags_len;
346 346
 	regexp_len = rdata[6 + flags_len + services_len];
347
-	if ((rdata + 7 +1 + flags_len + services_len + regexp_len) > end)
347
+	if ((rdata + 7 +1 + flags_len + services_len + regexp_len) > eor)
348 348
 		goto error;
349 349
 	regexp=rdata + 7 + flags_len + services_len;
350 350
 	rdata = rdata + 7 + flags_len + services_len + regexp_len;
... ...
@@ -418,11 +422,11 @@ error:
418 418
 /* parses an A record rdata into an a_rdata structure
419 419
  * returns 0 on error or a dyn. alloc'ed a_rdata struct
420 420
  */
421
-struct a_rdata* dns_a_parser(unsigned char* rdata, unsigned char* end)
421
+struct a_rdata* dns_a_parser(unsigned char* rdata, unsigned char* eor)
422 422
 {
423 423
 	struct a_rdata* a;
424 424
 	
425
-	if (rdata+4>end) goto error;
425
+	if (rdata+4>eor) goto error;
426 426
 	a=(struct a_rdata*)local_malloc(sizeof(struct a_rdata));
427 427
 	if (a==0){
428 428
 		LOG(L_ERR, "ERROR: dns_a_parser: out of memory\n");
... ...
@@ -438,11 +442,11 @@ error:
438 438
 
439 439
 /* parses an AAAA (ipv6) record rdata into an aaaa_rdata structure
440 440
  * returns 0 on error or a dyn. alloc'ed aaaa_rdata struct */
441
-struct aaaa_rdata* dns_aaaa_parser(unsigned char* rdata, unsigned char* end)
441
+struct aaaa_rdata* dns_aaaa_parser(unsigned char* rdata, unsigned char* eor)
442 442
 {
443 443
 	struct aaaa_rdata* aaaa;
444 444
 	
445
-	if (rdata+16>end) goto error;
445
+	if (rdata+16>eor) goto error;
446 446
 	aaaa=(struct aaaa_rdata*)local_malloc(sizeof(struct aaaa_rdata));
447 447
 	if (aaaa==0){
448 448
 		LOG(L_ERR, "ERROR: dns_aaaa_parser: out of memory\n");
... ...
@@ -641,7 +645,7 @@ again:
641 641
 		}
642 642
 		switch(rtype){
643 643
 			case T_SRV:
644
-				srv_rd= dns_srv_parser(buff.buff, rd_end, p);
644
+				srv_rd= dns_srv_parser(buff.buff, end, rd_end, p);
645 645
 				rd->rdata=(void*)srv_rd;
646 646
 				if (unlikely(srv_rd==0)) goto error_parse;
647 647
 				
... ...
@@ -678,13 +682,13 @@ again:
678 678
 				last=&(rd->next);
679 679
 				break;
680 680
 			case T_CNAME:
681
-				rd->rdata=(void*) dns_cname_parser(buff.buff, rd_end, p);
681
+				rd->rdata=(void*) dns_cname_parser(buff.buff, end, p);
682 682
 				if(unlikely(rd->rdata==0)) goto error_parse;
683 683
 				*last=rd;
684 684
 				last=&(rd->next);
685 685
 				break;
686 686
 			case T_NAPTR:
687
-				rd->rdata=(void*) dns_naptr_parser(buff.buff, rd_end, p);
687
+				rd->rdata=(void*)dns_naptr_parser(buff.buff, end, rd_end, p);
688 688
 				if(unlikely(rd->rdata==0)) goto error_parse;
689 689
 				*last=rd;
690 690
 				last=&(rd->next);