From 0ab1bea4e36261e156c6bf1db59d92d5c99e3b1c Mon Sep 17 00:00:00 2001
From: reyk <reyk@openbsd.org>
Date: Wed, 23 Jul 2008 10:05:18 +0000
Subject: [PATCH] validate packet length in debug dns packet logging before
 printing the header.

---
 usr.sbin/relayd/relay_udp.c | 17 ++++++++++++-----
 1 file changed, 12 insertions(+), 5 deletions(-)

diff --git a/usr.sbin/relayd/relay_udp.c b/usr.sbin/relayd/relay_udp.c
index 15cdcc056e6..d6eeca6fbd5 100644
--- a/usr.sbin/relayd/relay_udp.c
+++ b/usr.sbin/relayd/relay_udp.c
@@ -1,4 +1,4 @@
-/*	$OpenBSD: relay_udp.c,v 1.15 2008/07/09 17:24:14 reyk Exp $	*/
+/*	$OpenBSD: relay_udp.c,v 1.16 2008/07/23 10:05:18 reyk Exp $	*/
 
 /*
  * Copyright (c) 2007, 2008 Reyk Floeter <reyk@openbsd.org>
@@ -61,7 +61,7 @@ int		 relay_udp_socket(struct sockaddr_storage *, in_port_t,
 void		 relay_udp_request(struct session *);
 void		 relay_udp_timeout(int, short, void *);
 
-void		 relay_dns_log(struct session *, u_int8_t *);
+void		 relay_dns_log(struct session *, u_int8_t *, size_t);
 void		*relay_dns_validate(struct session *,
 		    struct relay *, struct sockaddr_storage *,
 		    u_int8_t *, size_t);
@@ -372,10 +372,17 @@ struct relay_dnshdr {
 } __packed;
 
 void
-relay_dns_log(struct session *con, u_int8_t *buf)
+relay_dns_log(struct session *con, u_int8_t *buf, size_t len)
 {
 	struct relay_dnshdr	*hdr = (struct relay_dnshdr *)buf;
 
+	/* Validate the header length */
+	if (len < sizeof(*hdr)) {
+		log_debug("relay_dns_log: session %d: short dns packet",
+		    con->se_id);
+		return;
+	}
+
 	log_debug("relay_dns_log: session %d: %s id 0x%x "
 	    "flags 0x%x:0x%x qd %u an %u ns %u ar %u",
 	    con->se_id,
@@ -457,7 +464,7 @@ relay_dns_request(struct session *con)
 	if (buf == NULL || priv == NULL || len < 1)
 		return (-1);
 	if (debug)
-		relay_dns_log(con, buf);
+		relay_dns_log(con, buf, len);
 
 	if (gettimeofday(&con->se_tv_start, NULL))
 		return (-1);
@@ -512,7 +519,7 @@ relay_dns_result(struct session *con, u_int8_t *buf, size_t len)
 		fatalx("relay_dns_result: response to invalid session");
 
 	if (debug)
-		relay_dns_log(con, buf);
+		relay_dns_log(con, buf, len);
 
 	/*
 	 * Replace the random DNS request Id with the original Id
-- 
2.20.1