diff options
author | Tobias Klauser <tklauser@distanz.ch> | 2017-02-08 08:45:47 +0100 |
---|---|---|
committer | Tobias Klauser <tklauser@distanz.ch> | 2017-02-08 09:34:29 +0100 |
commit | 5ff55246e69340fbcf1fa1283c9bd259aae8b2c6 (patch) | |
tree | 30022b784e96a36e321f2cf355ee03e4bbf373af | |
parent | 371de55728931fc253763328ae322ce9512afba1 (diff) |
llmnrd: Check query name length against LLMNR_LABEL_MAX_SIZE
Make sure the hostname buffer is not accessed out of bounds.
Signed-off-by: Tobias Klauser <tklauser@distanz.ch>
-rw-r--r-- | llmnr.c | 3 |
1 files changed, 2 insertions, 1 deletions
@@ -216,8 +216,9 @@ static void llmnr_packet_process(unsigned int ifindex, const uint8_t *pktbuf, si query = pktbuf + sizeof(struct llmnr_hdr); query_len = len - sizeof(struct llmnr_hdr); name_len = query[0]; + /* Invalid name in query? */ - if (name_len == 0 || name_len >= query_len || query[1 + name_len] != 0) + if (name_len == 0 || name_len >= query_len || name_len > LLMNR_LABEL_MAX_SIZE || query[1 + name_len] != 0) return; /* Authoritative? */ |