31 lines
1.2 KiB
Diff
31 lines
1.2 KiB
Diff
|
From 1c85901cc4c0f7693183f4b280604619e56cba00 Mon Sep 17 00:00:00 2001
|
||
|
|
From: "W.C.A. Wijngaards" <wouter@nlnetlabs.nl>
|
||
|
|
Date: Wed, 16 Aug 2023 16:58:49 +0200
|
||
|
|
Subject: [PATCH] - Fix out of bounds read in parse_edns_options_from_query, it
|
||
|
|
would read 8 bytes after a client option of length 8, and then ignore them
|
||
|
|
to recreate a 24 byte response. The fixup does not read out of bounds,
|
||
|
|
and puts zeroes in the buffer at that point, that then are ignored.
|
||
|
|
|
||
|
|
---
|
||
|
|
util/data/msgparse.c | 7 ++++++-
|
||
|
|
1 file changed, 6 insertions(+), 1 deletion(-)
|
||
|
|
|
||
|
|
diff --git a/util/data/msgparse.c b/util/data/msgparse.c
|
||
|
|
index 40189d613..b5414c6d0 100644
|
||
|
|
--- a/util/data/msgparse.c
|
||
|
|
+++ b/util/data/msgparse.c
|
||
|
|
@@ -1049,7 +1049,12 @@ parse_edns_options_from_query(uint8_t* rdata_ptr, size_t rdata_len,
|
||
|
|
/* Copy client cookie, version and timestamp for
|
||
|
|
* validation and creation purposes.
|
||
|
|
*/
|
||
|
|
- memmove(server_cookie, rdata_ptr, 16);
|
||
|
|
+ if(opt_len >= 16) {
|
||
|
|
+ memmove(server_cookie, rdata_ptr, 16);
|
||
|
|
+ } else {
|
||
|
|
+ memset(server_cookie, 0, 16);
|
||
|
|
+ memmove(server_cookie, rdata_ptr, opt_len);
|
||
|
|
+ }
|
||
|
|
|
||
|
|
/* In the "if, if else" block below, we validate a
|
||
|
|
* RFC9018 cookie. If it doesn't match the recipe, or
|