From 3a76bb5136d05f94ee62e377aa723e63444912c7 Mon Sep 17 00:00:00 2001 From: Denys Vlasenko Date: Thu, 10 Mar 2016 11:47:58 +0100 Subject: [PATCH] udhcp: fix a SEGV on malformed RFC1035-encoded domain name Signed-off-by: Denys Vlasenko Signed-off-by: Mike Frysinger (cherry picked from commit d474ffc68290e0a83651c4432eeabfa62cd51e87) --- networking/udhcp/domain_codec.c | 13 +++++++++---- 1 file changed, 9 insertions(+), 4 deletions(-) diff --git a/networking/udhcp/domain_codec.c b/networking/udhcp/domain_codec.c index c1325d8..8429367 100644 --- a/networking/udhcp/domain_codec.c +++ b/networking/udhcp/domain_codec.c @@ -63,11 +63,10 @@ char* FAST_FUNC dname_dec(const uint8_t *cstr, int clen, const char *pre) if (crtpos + *c + 1 > clen) /* label too long? abort */ return NULL; if (dst) - memcpy(dst + len, c + 1, *c); + /* \3com ---> "com." */ + ((char*)mempcpy(dst + len, c + 1, *c))[0] = '.'; len += *c + 1; crtpos += *c + 1; - if (dst) - dst[len - 1] = '.'; } else { /* NUL: end of current domain name */ if (retpos == 0) { @@ -78,7 +77,10 @@ char* FAST_FUNC dname_dec(const uint8_t *cstr, int clen, const char *pre) crtpos = retpos; retpos = depth = 0; } - if (dst) + if (dst && len != 0) + /* \4host\3com\0\4host and we are at \0: + * \3com was converted to "com.", change dot to space. + */ dst[len - 1] = ' '; } @@ -228,6 +230,9 @@ int main(int argc, char **argv) int len; uint8_t *encoded; + uint8_t str[6] = { 0x00, 0x00, 0x02, 0x65, 0x65, 0x00 }; + printf("NUL:'%s'\n", dname_dec(str, 6, "")); + #define DNAME_DEC(encoded,pre) dname_dec((uint8_t*)(encoded), sizeof(encoded), (pre)) printf("'%s'\n", DNAME_DEC("\4host\3com\0", "test1:")); printf("test2:'%s'\n", DNAME_DEC("\4host\3com\0\4host\3com\0", "")); -- 2.7.4