llmnr-query: Prevent read buffer overflow in response parsing

When accessing the compressed name in a response, verify that the pointer is within the packet size. Signed-off-by: Tobias Klauser <tklauser@distanz.ch>
author: Tobias Klauser <tklauser@distanz.ch> 2016-08-03 10:31:46 +0200
committer: Tobias Klauser <tklauser@distanz.ch> 2016-08-03 10:31:46 +0200
commit: c36d446a9b5b3b6a8b8d4f57c65c319c66968310 (patch)
tree: d8ae2c316e89a3177440be1f77c0933475ca7f60
parent: 5939d09f16547ab935d8e3699688ed1817471da5 (diff)
1 files changed, 6 insertions, 2 deletions
diff --git a/llmnr-query.c b/llmnr-query.c
index fefcf0b..27a2034 100644
--- a/llmnr-query.c
+++ b/llmnr-query.c
@@ -306,9 +306,13 @@ int main(int argc, char **argv)
 				/* compression? */
 				if (nl & 0xC0) {
 					uint16_t ptr = (nl & 0x3F) << 8 | *pkt_put(p, 1);
-					name = (char *)p->data + ptr + 1;
-				} else
+					if (ptr < p->size - 1)
+						name = (char *)p->data + ptr + 1;
+					else
+						name = "<invalid>";
+				} else {
 					name = (char *)pkt_put(p, nl + 1);
+				}
 
 				type = htons(*(uint16_t *)pkt_put(p, sizeof(type)));
 				clss = htons(*(uint16_t *)pkt_put(p, sizeof(clss)));
author	Tobias Klauser <tklauser@distanz.ch>	2016-08-03 10:31:46 +0200
committer	Tobias Klauser <tklauser@distanz.ch>	2016-08-03 10:31:46 +0200
commit	c36d446a9b5b3b6a8b8d4f57c65c319c66968310 (patch)
tree	d8ae2c316e89a3177440be1f77c0933475ca7f60
parent	5939d09f16547ab935d8e3699688ed1817471da5 (diff)