summaryrefslogtreecommitdiff
path: root/sbin
diff options
context:
space:
mode:
authorFlorian Obser <florian@cvs.openbsd.org>2019-11-20 15:50:42 +0000
committerFlorian Obser <florian@cvs.openbsd.org>2019-11-20 15:50:42 +0000
commit0ee7d37347379a5200f1fe9db9dd7192a9e976ba (patch)
treed7d8786a7b366b780eb5a8d9e7c5d03517caacaf /sbin
parent6496417f56c61a66e399d99a13aa4a5bf0932f35 (diff)
Check for a too short answer packet in all callback functions because
otherwise we try to parse an invalid packet. This can be triggered by captive_portal_resolve_done() when dhcp provided nameservers do not answer and asr hits a timeout. answer_packet is NULL and answer_len -1 in that case. Found the hard way by claudio
Diffstat (limited to 'sbin')
-rw-r--r--sbin/unwind/resolver.c16
1 files changed, 13 insertions, 3 deletions
diff --git a/sbin/unwind/resolver.c b/sbin/unwind/resolver.c
index 816a5944e48..49bddbc6892 100644
--- a/sbin/unwind/resolver.c
+++ b/sbin/unwind/resolver.c
@@ -1,4 +1,4 @@
-/* $OpenBSD: resolver.c,v 1.69 2019/11/19 14:49:36 florian Exp $ */
+/* $OpenBSD: resolver.c,v 1.70 2019/11/20 15:50:41 florian Exp $ */
/*
* Copyright (c) 2018 Florian Obser <florian@openbsd.org>
@@ -1685,13 +1685,18 @@ void
captive_portal_resolve_done(struct uw_resolver *res, void *arg, int rcode,
void *answer_packet, int answer_len, int sec, char *why_bogus)
{
- struct ub_result *result;
+ struct ub_result *result = NULL;
sldns_buffer *buf = NULL;
struct regional *region = NULL;
struct in_addr *in;
int i;
char *str, rdata_buf[sizeof("xxx.xxx.xxx.xxx")];
+ if (answer_len < LDNS_HEADER_SIZE) {
+ log_warnx("bad packet: too short");
+ goto out;
+ }
+
if ((result = calloc(1, sizeof(*result))) == NULL)
goto out;
@@ -1809,7 +1814,7 @@ void
trust_anchor_resolve_done(struct uw_resolver *res, void *arg, int rcode,
void *answer_packet, int answer_len, int sec, char *why_bogus)
{
- struct ub_result *result;
+ struct ub_result *result = NULL;
sldns_buffer *buf = NULL;
struct regional *region = NULL;
struct timeval tv = {TRUST_ANCHOR_RETRY_INTERVAL, 0};
@@ -1817,6 +1822,11 @@ trust_anchor_resolve_done(struct uw_resolver *res, void *arg, int rcode,
uint16_t dnskey_flags;
char *str, rdata_buf[1024], *ta;
+ if (answer_len < LDNS_HEADER_SIZE) {
+ log_warnx("bad packet: too short");
+ goto out;
+ }
+
if ((result = calloc(1, sizeof(*result))) == NULL)
goto out;