54 lines
1.6 KiB
Diff
54 lines
1.6 KiB
Diff
From 0d252eb3b2147179296a3bdb4ef97883c97c54d3 Mon Sep 17 00:00:00 2001
|
|
From: bradh352 <brad@brad-house.com>
|
|
Date: Thu, 12 Nov 2020 10:24:40 -0500
|
|
Subject: [PATCH] ares_parse_{a,aaaa}_reply could return larger *naddrttls than
|
|
passed in
|
|
|
|
If there are more ttls returned than the maximum provided by the requestor, then
|
|
the *naddrttls response would be larger than the actual number of elements in
|
|
the addrttls array.
|
|
|
|
This bug could lead to invalid memory accesses in applications using c-ares.
|
|
|
|
This behavior appeared to break with PR #257
|
|
|
|
Fixes: #371
|
|
Reported By: Momtchil Momtchev (@mmomtchev)
|
|
Fix By: Brad House (@bradh352)
|
|
---
|
|
ares_parse_a_reply.c | 3 ++-
|
|
ares_parse_aaaa_reply.c | 3 ++-
|
|
2 files changed, 4 insertions(+), 2 deletions(-)
|
|
|
|
diff --git a/ares_parse_a_reply.c b/ares_parse_a_reply.c
|
|
index d8a9e9b..e71c993 100644
|
|
--- a/ares_parse_a_reply.c
|
|
+++ b/ares_parse_a_reply.c
|
|
@@ -197,7 +197,8 @@ int ares_parse_a_reply(const unsigned char *abuf, int alen,
|
|
|
|
if (naddrttls)
|
|
{
|
|
- *naddrttls = naddrs;
|
|
+ /* Truncated to at most *naddrttls entries */
|
|
+ *naddrttls = (naddrs > *naddrttls)?*naddrttls:naddrs;
|
|
}
|
|
|
|
ares__freeaddrinfo_cnames(ai.cnames);
|
|
diff --git a/ares_parse_aaaa_reply.c b/ares_parse_aaaa_reply.c
|
|
index 0d39bfa..346d430 100644
|
|
--- a/ares_parse_aaaa_reply.c
|
|
+++ b/ares_parse_aaaa_reply.c
|
|
@@ -200,7 +200,8 @@ int ares_parse_aaaa_reply(const unsigned char *abuf, int alen,
|
|
|
|
if (naddrttls)
|
|
{
|
|
- *naddrttls = naddrs;
|
|
+ /* Truncated to at most *naddrttls entries */
|
|
+ *naddrttls = (naddrs > *naddrttls)?*naddrttls:naddrs;
|
|
}
|
|
|
|
ares__freeaddrinfo_cnames(ai.cnames);
|
|
--
|
|
1.8.3.1
|
|
|