net: dns: Check that we do not access data past msg size

jukkar · nashif · commit abbaca1e5474 · 2020-12-08T14:42:26.000-05:00
This is not possible with valid DNS messages but is possible if
we receive malformed DNS packet.

Signed-off-by: Jukka Rissanen &lt;jukka.rissanen@linux.intel.com&gt;
Signed-off-by: Flavio Ceolin &lt;flavio.ceolin@intel.com&gt;
diff --git a/subsys/net/lib/dns/dns_pack.c b/subsys/net/lib/dns/dns_pack.c
@@ -325,7 +325,7 @@ int dns_unpack_response_query(struct dns_msg_t *dns_msg)
 
 	/* 4 bytes more due to qtype and qclass */
 	offset += DNS_QTYPE_LEN + DNS_QCLASS_LEN;
-	if (offset > dns_msg->msg_size) {
+	if (offset >= dns_msg->msg_size) {
 		return -ENOMEM;
 	}
 

Original file line number	Diff line number	Diff line change
`@@ -325,7 +325,7 @@ int dns_unpack_response_query(struct dns_msg_t *dns_msg)`
`325`	`325`
`326`	`326`	`/* 4 bytes more due to qtype and qclass */`
`327`	`327`	`offset += DNS_QTYPE_LEN + DNS_QCLASS_LEN;`
`328`		`- if (offset > dns_msg->msg_size) {`
	`328`	`+ if (offset >= dns_msg->msg_size) {`
`329`	`329`	`return -ENOMEM;`
`330`	`330`	`}`
`331`	`331`