Do not crash when a tcp query is larger than the length field

author bluhm <bluhm@openbsd.org>

Fri, 25 Nov 2022 16:10:07 +0000 (16:10 +0000)

committer bluhm <bluhm@openbsd.org>

Fri, 25 Nov 2022 16:10:07 +0000 (16:10 +0000)
author bluhm <bluhm@openbsd.org>
Fri, 25 Nov 2022 16:10:07 +0000 (16:10 +0000)
committer bluhm <bluhm@openbsd.org>
Fri, 25 Nov 2022 16:10:07 +0000 (16:10 +0000)
diff --git a/sbin/unwind/frontend.c b/sbin/unwind/frontend.c

index 653e732..335492d 100644 (file)
--- a/sbin/unwind/frontend.c
+++ b/sbin/unwind/frontend.c
@@ -1,4 +1,4 @@
-/*     $OpenBSD: frontend.c,v 1.73 2022/03/13 15:14:01 florian Exp $   */
+/*     $OpenBSD: frontend.c,v 1.74 2022/11/25 16:10:07 bluhm Exp $     */
  
  /*
   * Copyright (c) 2018 Florian Obser <florian@openbsd.org>
@@ -63,6 +63,7 @@
  #include "control.h"
  #include "dns64_synth.h"
  
+#define        MINIMUM(a, b)           (((a) < (b)) ? (a) : (b))
  #define        ROUTE_SOCKET_BUF_SIZE   16384
  
  /*
@@ -1699,6 +1700,7 @@ tcp_request(int fd, short events, void *arg)
  
         if (sldns_buffer_position(pq->qbuf) >= 2 && !pq->abuf) {
                 struct sldns_buffer     *tmp;
+               size_t                   rem;
                 uint16_t                 len;
  
                 sldns_buffer_flip(pq->qbuf);
@@ -1709,8 +1711,9 @@ tcp_request(int fd, short events, void *arg)
                 if (!tmp || !pq->abuf)
                         goto fail;
  
+               rem = sldns_buffer_remaining(pq->qbuf);
                 sldns_buffer_write(tmp, sldns_buffer_current(pq->qbuf),
-                   sldns_buffer_remaining(pq->qbuf));
+                   MINIMUM(len, rem));
                 sldns_buffer_free(pq->qbuf);
                 pq->qbuf = tmp;
         }
author	bluhm <bluhm@openbsd.org>
	Fri, 25 Nov 2022 16:10:07 +0000 (16:10 +0000)
committer	bluhm <bluhm@openbsd.org>
	Fri, 25 Nov 2022 16:10:07 +0000 (16:10 +0000)