Wireshark-bugs: [Wireshark-bugs] [Bug 7552] Add support for EDNS0 option from draft-vandergaast-
Date: Fri, 31 Aug 2012 02:07:20 -0700 (PDT)
https://bugs.wireshark.org/bugzilla/show_bug.cgi?id=7552

--- Comment #9 from David Drysdale <drysdale@xxxxxxxxxx> 2012-08-31 02:07:19 PDT ---
(In reply to comment #7)
> Guys,
> 
> This looks pretty dangerous: 
>   tvb_memcpy(tvb, ip_addr.bytes, cur_offset, (optlen - 4));
> 
> optlen is fetched from tvb, and it only needs to be smaller than rropt_len.
> When optlen < 4 tvb_memcpy() should throw exception, but with optlen > 16
> (sizeof ip_addr) we'll have buffer overflow.

Good spot; would a MIN() fix the problem?


Index: packet-dns.c
===================================================================
--- packet-dns.c    (revision 44708)
+++ packet-dns.c    (working copy)
@@ -2299,7 +2299,7 @@
             proto_tree_add_item(rropt_tree, hf_dns_rr_opt_client_scope, tvb,
cur_offset, 1, ENC_BIG_ENDIAN);
             cur_offset += 1;

-            tvb_memcpy(tvb, ip_addr.bytes, cur_offset, (optlen - 4));
+            tvb_memcpy(tvb, ip_addr.bytes, cur_offset, MIN((size_t)(optlen -
4), sizeof(ip_addr)));
             switch(family) {
               case AFNUM_INET:
               proto_tree_add_ipv4(rropt_tree, hf_dns_rr_opt_client_addr4, tvb,

-- 
Configure bugmail: https://bugs.wireshark.org/bugzilla/userprefs.cgi?tab=email
------- You are receiving this mail because: -------
You are watching all bug changes.