From 69f07918e001d373e634ce04d829146a8728cba9 Mon Sep 17 00:00:00 2001 From: bluhm Date: Fri, 25 Nov 2022 16:10:07 +0000 Subject: [PATCH] Do not crash when a tcp query is larger than the length field indicated. Found by kn with amap. Input bluhm. OK deraadt, tb, otto, kn from florian@ --- sbin/unwind/frontend.c | 7 +++++-- 1 file changed, 5 insertions(+), 2 deletions(-) diff --git a/sbin/unwind/frontend.c b/sbin/unwind/frontend.c index 653e73200bc..335492d4373 100644 --- a/sbin/unwind/frontend.c +++ b/sbin/unwind/frontend.c @@ -1,4 +1,4 @@ -/* $OpenBSD: frontend.c,v 1.73 2022/03/13 15:14:01 florian Exp $ */ +/* $OpenBSD: frontend.c,v 1.74 2022/11/25 16:10:07 bluhm Exp $ */ /* * Copyright (c) 2018 Florian Obser @@ -63,6 +63,7 @@ #include "control.h" #include "dns64_synth.h" +#define MINIMUM(a, b) (((a) < (b)) ? (a) : (b)) #define ROUTE_SOCKET_BUF_SIZE 16384 /* @@ -1699,6 +1700,7 @@ tcp_request(int fd, short events, void *arg) if (sldns_buffer_position(pq->qbuf) >= 2 && !pq->abuf) { struct sldns_buffer *tmp; + size_t rem; uint16_t len; sldns_buffer_flip(pq->qbuf); @@ -1709,8 +1711,9 @@ tcp_request(int fd, short events, void *arg) if (!tmp || !pq->abuf) goto fail; + rem = sldns_buffer_remaining(pq->qbuf); sldns_buffer_write(tmp, sldns_buffer_current(pq->qbuf), - sldns_buffer_remaining(pq->qbuf)); + MINIMUM(len, rem)); sldns_buffer_free(pq->qbuf); pq->qbuf = tmp; } -- 2.20.1