From 5ff55246e69340fbcf1fa1283c9bd259aae8b2c6 Mon Sep 17 00:00:00 2001
From: Tobias Klauser <tklauser@distanz.ch>
Date: Wed, 8 Feb 2017 08:45:47 +0100
Subject: llmnrd: Check query name length against LLMNR_LABEL_MAX_SIZE

Make sure the hostname buffer is not accessed out of bounds.

Signed-off-by: Tobias Klauser <tklauser@distanz.ch>
---
 llmnr.c | 3 ++-
 1 file changed, 2 insertions(+), 1 deletion(-)

diff --git a/llmnr.c b/llmnr.c
index 0b35ae7..ec7726e 100644
--- a/llmnr.c
+++ b/llmnr.c
@@ -216,8 +216,9 @@ static void llmnr_packet_process(unsigned int ifindex, const uint8_t *pktbuf, si
 	query = pktbuf + sizeof(struct llmnr_hdr);
 	query_len = len - sizeof(struct llmnr_hdr);
 	name_len = query[0];
+
 	/* Invalid name in query? */
-	if (name_len == 0 || name_len >= query_len || query[1 + name_len] != 0)
+	if (name_len == 0 || name_len >= query_len || name_len > LLMNR_LABEL_MAX_SIZE || query[1 + name_len] != 0)
 		return;
 
 	/* Authoritative? */
-- 
cgit v1.2.3-54-g00ecf