From c36d446a9b5b3b6a8b8d4f57c65c319c66968310 Mon Sep 17 00:00:00 2001
From: Tobias Klauser <tklauser@distanz.ch>
Date: Wed, 3 Aug 2016 10:31:46 +0200
Subject: llmnr-query: Prevent read buffer overflow in response parsing

When accessing the compressed name in a response, verify that the
pointer is within the packet size.

Signed-off-by: Tobias Klauser <tklauser@distanz.ch>
---
 llmnr-query.c | 8 ++++++--
 1 file changed, 6 insertions(+), 2 deletions(-)

diff --git a/llmnr-query.c b/llmnr-query.c
index fefcf0b..27a2034 100644
--- a/llmnr-query.c
+++ b/llmnr-query.c
@@ -306,9 +306,13 @@ int main(int argc, char **argv)
 				/* compression? */
 				if (nl & 0xC0) {
 					uint16_t ptr = (nl & 0x3F) << 8 | *pkt_put(p, 1);
-					name = (char *)p->data + ptr + 1;
-				} else
+					if (ptr < p->size - 1)
+						name = (char *)p->data + ptr + 1;
+					else
+						name = "<invalid>";
+				} else {
 					name = (char *)pkt_put(p, nl + 1);
+				}
 
 				type = htons(*(uint16_t *)pkt_put(p, sizeof(type)));
 				clss = htons(*(uint16_t *)pkt_put(p, sizeof(clss)));
-- 
cgit v1.2.3-54-g00ecf