diff options
author | Florian Obser <florian@cvs.openbsd.org> | 2019-11-20 15:50:42 +0000 |
---|---|---|
committer | Florian Obser <florian@cvs.openbsd.org> | 2019-11-20 15:50:42 +0000 |
commit | 0ee7d37347379a5200f1fe9db9dd7192a9e976ba (patch) | |
tree | d7d8786a7b366b780eb5a8d9e7c5d03517caacaf /sbin | |
parent | 6496417f56c61a66e399d99a13aa4a5bf0932f35 (diff) |
Check for a too short answer packet in all callback functions because
otherwise we try to parse an invalid packet.
This can be triggered by captive_portal_resolve_done() when dhcp
provided nameservers do not answer and asr hits a timeout.
answer_packet is NULL and answer_len -1 in that case.
Found the hard way by claudio
Diffstat (limited to 'sbin')
-rw-r--r-- | sbin/unwind/resolver.c | 16 |
1 files changed, 13 insertions, 3 deletions
diff --git a/sbin/unwind/resolver.c b/sbin/unwind/resolver.c index 816a5944e48..49bddbc6892 100644 --- a/sbin/unwind/resolver.c +++ b/sbin/unwind/resolver.c @@ -1,4 +1,4 @@ -/* $OpenBSD: resolver.c,v 1.69 2019/11/19 14:49:36 florian Exp $ */ +/* $OpenBSD: resolver.c,v 1.70 2019/11/20 15:50:41 florian Exp $ */ /* * Copyright (c) 2018 Florian Obser <florian@openbsd.org> @@ -1685,13 +1685,18 @@ void captive_portal_resolve_done(struct uw_resolver *res, void *arg, int rcode, void *answer_packet, int answer_len, int sec, char *why_bogus) { - struct ub_result *result; + struct ub_result *result = NULL; sldns_buffer *buf = NULL; struct regional *region = NULL; struct in_addr *in; int i; char *str, rdata_buf[sizeof("xxx.xxx.xxx.xxx")]; + if (answer_len < LDNS_HEADER_SIZE) { + log_warnx("bad packet: too short"); + goto out; + } + if ((result = calloc(1, sizeof(*result))) == NULL) goto out; @@ -1809,7 +1814,7 @@ void trust_anchor_resolve_done(struct uw_resolver *res, void *arg, int rcode, void *answer_packet, int answer_len, int sec, char *why_bogus) { - struct ub_result *result; + struct ub_result *result = NULL; sldns_buffer *buf = NULL; struct regional *region = NULL; struct timeval tv = {TRUST_ANCHOR_RETRY_INTERVAL, 0}; @@ -1817,6 +1822,11 @@ trust_anchor_resolve_done(struct uw_resolver *res, void *arg, int rcode, uint16_t dnskey_flags; char *str, rdata_buf[1024], *ta; + if (answer_len < LDNS_HEADER_SIZE) { + log_warnx("bad packet: too short"); + goto out; + } + if ((result = calloc(1, sizeof(*result))) == NULL) goto out; |