diff options
author | Evan Huus <eapache@gmail.com> | 2012-09-15 13:49:27 +0000 |
---|---|---|
committer | Evan Huus <eapache@gmail.com> | 2012-09-15 13:49:27 +0000 |
commit | 5a7af5d6d96c647d75be8fb0f57e9bbe3e530fb2 (patch) | |
tree | 9d5b3779306f517a5f3590f56e390ba5d8aa5827 /epan | |
parent | 5164694d0f597cb9009226969cdc8538c03930b1 (diff) |
Avoid a stack-smash when decoding the new DNS option field if the length is
malformed.
Fixes https://bugs.wireshark.org/bugzilla/show_bug.cgi?id=7730
svn path=/trunk/; revision=44915
Diffstat (limited to 'epan')
-rw-r--r-- | epan/dissectors/packet-dns.c | 9 |
1 files changed, 8 insertions, 1 deletions
diff --git a/epan/dissectors/packet-dns.c b/epan/dissectors/packet-dns.c index 46fcb9afa3..b487a73bda 100644 --- a/epan/dissectors/packet-dns.c +++ b/epan/dissectors/packet-dns.c @@ -2341,7 +2341,7 @@ dissect_dns_answer(tvbuff_t *tvb, int offsetx, int dns_data_offset, rropt_tree = proto_item_add_subtree(rropt, ett_dns_opts); proto_tree_add_item(rropt_tree, hf_dns_rr_opt_code, tvb, cur_offset, 2, ENC_BIG_ENDIAN); cur_offset += 2; - proto_tree_add_item(rropt_tree, hf_dns_rr_opt_len, tvb, cur_offset, 2, ENC_BIG_ENDIAN); + rropt = proto_tree_add_item(rropt_tree, hf_dns_rr_opt_len, tvb, cur_offset, 2, ENC_BIG_ENDIAN); cur_offset += 2; proto_tree_add_item(rropt_tree, hf_dns_rr_opt_data, tvb, cur_offset, optlen, ENC_NA); @@ -2361,6 +2361,13 @@ dissect_dns_answer(tvbuff_t *tvb, int offsetx, int dns_data_offset, proto_tree_add_item(rropt_tree, hf_dns_rr_opt_client_scope, tvb, cur_offset, 1, ENC_BIG_ENDIAN); cur_offset += 1; + if (optlen-4 > 16) { + expert_add_info_format(pinfo, rropt, PI_MALFORMED, PI_ERROR, + "Length too long for any type of IP address."); + /* Avoid stack-smashing which occurs otherwise with the + * following tvb_memcpy. */ + optlen = 20; + } tvb_memcpy(tvb, ip_addr.bytes, cur_offset, (optlen - 4)); switch(family) { case AFNUM_INET: |