summaryrefslogtreecommitdiff
diff options
context:
space:
mode:
authorAlexander Bluhm <bluhm@cvs.openbsd.org>2022-11-25 16:10:08 +0000
committerAlexander Bluhm <bluhm@cvs.openbsd.org>2022-11-25 16:10:08 +0000
commit4c69037183301efb80eb23240e755d83dea74324 (patch)
treef89b5b1d8175d9febae66e022c1e0fa704883cf2
parent187c3d1893c684f734c9993921174267e5c4ac82 (diff)
Do not crash when a tcp query is larger than the length field
indicated. Found by kn with amap. Input bluhm. OK deraadt, tb, otto, kn from florian@
Diffstat
-rw-r--r--sbin/unwind/frontend.c7
1 files changed, 5 insertions, 2 deletions
diff --git a/sbin/unwind/frontend.c b/sbin/unwind/frontend.c
index 653e73200bc..335492d4373 100644
--- a/sbin/unwind/frontend.c
+++ b/sbin/unwind/frontend.c
@@ -1,4 +1,4 @@
-/* $OpenBSD: frontend.c,v 1.73 2022/03/13 15:14:01 florian Exp $ */
+/* $OpenBSD: frontend.c,v 1.74 2022/11/25 16:10:07 bluhm Exp $ */
/*
* Copyright (c) 2018 Florian Obser <florian@openbsd.org>
@@ -63,6 +63,7 @@
#include "control.h"
#include "dns64_synth.h"
+#define MINIMUM(a, b) (((a) < (b)) ? (a) : (b))
#define ROUTE_SOCKET_BUF_SIZE 16384
/*
@@ -1699,6 +1700,7 @@ tcp_request(int fd, short events, void *arg)
if (sldns_buffer_position(pq->qbuf) >= 2 && !pq->abuf) {
struct sldns_buffer *tmp;
+ size_t rem;
uint16_t len;
sldns_buffer_flip(pq->qbuf);
@@ -1709,8 +1711,9 @@ tcp_request(int fd, short events, void *arg)
if (!tmp || !pq->abuf)
goto fail;
+ rem = sldns_buffer_remaining(pq->qbuf);
sldns_buffer_write(tmp, sldns_buffer_current(pq->qbuf),
- sldns_buffer_remaining(pq->qbuf));
+ MINIMUM(len, rem));
sldns_buffer_free(pq->qbuf);
pq->qbuf = tmp;
}
generated by cgit v1.2.3 (git 2.25.1) at 2024-12-03 03:02:48 +0000