net: dns: Check DNS answer properly

jukkar · kartben · commit 6e7fcff579b9 · 2024-11-28T20:52:20.000+01:00
The dns_unpack_answer() did not check the length of the message
properly which can cause out of bounds read.

Signed-off-by: Jukka Rissanen &lt;jukka.rissanen@nordicsemi.no&gt;
diff --git a/subsys/net/lib/dns/dns_pack.c b/subsys/net/lib/dns/dns_pack.c
@@ -134,7 +134,7 @@ int dns_unpack_answer(struct dns_msg_t *dns_msg, int dname_ptr, uint32_t *ttl,
 	 *
 	 * See RFC-1035 4.1.3. Resource record format
 	 */
-	rem_size = dns_msg->msg_size - dname_len;
+	rem_size = dns_msg->msg_size - dns_msg->answer_offset - dname_len;
 	if (rem_size < 2 + 2 + 4 + 2) {
 		return -EINVAL;
 	}

Original file line number	Diff line number	Diff line change
`@@ -134,7 +134,7 @@ int dns_unpack_answer(struct dns_msg_t dns_msg, int dname_ptr, uint32_t ttl,`
`134`	`134`	`*`
`135`	`135`	`* See RFC-1035 4.1.3. Resource record format`
`136`	`136`	`*/`
`137`		`- rem_size = dns_msg->msg_size - dname_len;`
	`137`	`+ rem_size = dns_msg->msg_size - dns_msg->answer_offset - dname_len;`
`138`	`138`	`if (rem_size < 2 + 2 + 4 + 2) {`
`139`	`139`	`return -EINVAL;`
`140`	`140`	`}`