dns_server: fix memory corrupt bug.

pymumu · Jul 17, 2023 · 93a8b87 · 93a8b87
1 parent ffc331a
commit 93a8b87
Show file tree

Hide file tree

Showing 3 changed files with 25 additions and 11 deletions.
diff --git a/src/dns.c b/src/dns.c
@@ -879,6 +879,11 @@ int dns_add_TXT(struct dns_packet *packet, dns_rr_type type, const char *domain,
 {
 	int rr_len = strnlen(text, DNS_MAX_CNAME_LEN);
 	char data[DNS_MAX_CNAME_LEN];
+
+	if (rr_len > DNS_MAX_CNAME_LEN - 2) {
+		return -1;
+	}
+
 	data[0] = rr_len;
 	rr_len++;
 	memcpy(data + 1, text, rr_len);

diff --git a/src/dns_conf.c b/src/dns_conf.c
@@ -868,11 +868,11 @@ static struct dns_domain_rule *_config_domain_rule_get(const char *domain)
 	char domain_key[DNS_MAX_CONF_CNAME_LEN];
 	int len = 0;
 
-	if (len >= (int)sizeof(domain_key) - 1) {
+	len = strlen(domain);
+	if (len >= (int)sizeof(domain_key) - 2) {
 		return NULL;
 	}
 
-	len = strlen(domain);
 	reverse_string(domain_key, domain, len, 1);
 	domain_key[len] = '.';
 	len++;
@@ -893,7 +893,7 @@ static int _config_domain_rule_add(const char *domain, enum domain_rule type, vo
 
 	/* Reverse string, for suffix match */
 	len = strlen(domain);
-	if (len >= (int)sizeof(domain_key) - 1) {
+	if (len >= (int)sizeof(domain_key) - 2) {
 		tlog(TLOG_ERROR, "domain name %s too long", domain);
 		goto errout;
 	}

diff --git a/src/dns_server.c b/src/dns_server.c
@@ -636,6 +636,15 @@ static void _dns_server_post_context_init(struct dns_server_post_context *contex
 	context->request = request;
 }
 
+static void _dns_server_context_add_ip(struct dns_server_post_context *context, const unsigned char *ip_addr)
+{
+	if (context->ip_num < MAX_IP_NUM) {
+		context->ip_addr[context->ip_num] = ip_addr;
+	}
+
+	context->ip_num++;
+}
+
 static void _dns_server_post_context_init_from(struct dns_server_post_context *context, struct dns_request *request,
 											   struct dns_packet *packet, unsigned char *inpacket, int inpacket_len)
 {
@@ -900,8 +909,7 @@ static int _dns_rrs_add_all_best_ip(struct dns_server_post_context *context)
 				}
 			}
 
-			context->ip_addr[context->ip_num] = addr_map->ip_addr;
-			context->ip_num++;
+			_dns_server_context_add_ip(context, addr_map->ip_addr);
 			if (addr_map->addr_type == DNS_T_A) {
 				ret |= dns_add_A(context->packet, DNS_RRS_AN, domain, request->ip_ttl, addr_map->ip_addr);
 			} else if (addr_map->addr_type == DNS_T_AAAA) {
@@ -954,8 +962,7 @@ static int _dns_add_rrs(struct dns_server_post_context *context)
 
 	/* add A record */
 	if (request->has_ip && context->do_force_soa == 0) {
-		context->ip_addr[0] = request->ip_addr;
-		context->ip_num++;
+		_dns_server_context_add_ip(context, request->ip_addr);
 		if (context->qtype == DNS_T_A) {
 			ret |= dns_add_A(context->packet, DNS_RRS_AN, domain, request->ip_ttl, request->ip_addr);
 			tlog(TLOG_DEBUG, "result: %s, rtt: %.1f ms, %d.%d.%d.%d", request->domain, ((float)request->ping_time) / 10,
@@ -3250,8 +3257,7 @@ static int _dns_server_get_answer(struct dns_server_post_context *context)
 					continue;
 				}
 
-				context->ip_addr[context->ip_num] = addr_map->ip_addr;
-				context->ip_num++;
+				_dns_server_context_add_ip(context, addr_map->ip_addr);
 				if (request->has_ip == 1) {
 					continue;
 				}
@@ -3283,8 +3289,7 @@ static int _dns_server_get_answer(struct dns_server_post_context *context)
 					continue;
 				}
 
-				context->ip_addr[context->ip_num] = addr_map->ip_addr;
-				context->ip_num++;
+				_dns_server_context_add_ip(context, addr_map->ip_addr);
 				if (request->has_ip == 1) {
 					continue;
 				}
@@ -3979,6 +3984,10 @@ static void _dns_server_get_domain_rule_by_domain(struct dns_request *request, c
 
 	/* reverse domain string */
 	domain_len = strlen(domain);
+	if (domain_len >= (int)sizeof(domain_key) - 2) {
+		return;
+	}
+
 	reverse_string(domain_key, domain, domain_len, 1);
 	domain_key[domain_len] = '.';
 	domain_len++;