From 93a8b87c1710a7f982fa086f179e498abcad8ec0 Mon Sep 17 00:00:00 2001 From: Nick Peng Date: Mon, 17 Jul 2023 21:47:14 +0800 Subject: [PATCH] dns_server: fix memory corrupt bug. --- src/dns.c | 5 +++++ src/dns_conf.c | 6 +++--- src/dns_server.c | 25 +++++++++++++++++-------- 3 files changed, 25 insertions(+), 11 deletions(-) diff --git a/src/dns.c b/src/dns.c index f70edc0..0d8dff9 100644 --- a/src/dns.c +++ b/src/dns.c @@ -879,6 +879,11 @@ int dns_add_TXT(struct dns_packet *packet, dns_rr_type type, const char *domain, { int rr_len = strnlen(text, DNS_MAX_CNAME_LEN); char data[DNS_MAX_CNAME_LEN]; + + if (rr_len > DNS_MAX_CNAME_LEN - 2) { + return -1; + } + data[0] = rr_len; rr_len++; memcpy(data + 1, text, rr_len); diff --git a/src/dns_conf.c b/src/dns_conf.c index c1f4012..382b17b 100644 --- a/src/dns_conf.c +++ b/src/dns_conf.c @@ -868,11 +868,11 @@ static struct dns_domain_rule *_config_domain_rule_get(const char *domain) char domain_key[DNS_MAX_CONF_CNAME_LEN]; int len = 0; - if (len >= (int)sizeof(domain_key) - 1) { + len = strlen(domain); + if (len >= (int)sizeof(domain_key) - 2) { return NULL; } - len = strlen(domain); reverse_string(domain_key, domain, len, 1); domain_key[len] = '.'; len++; @@ -893,7 +893,7 @@ static int _config_domain_rule_add(const char *domain, enum domain_rule type, vo /* Reverse string, for suffix match */ len = strlen(domain); - if (len >= (int)sizeof(domain_key) - 1) { + if (len >= (int)sizeof(domain_key) - 2) { tlog(TLOG_ERROR, "domain name %s too long", domain); goto errout; } diff --git a/src/dns_server.c b/src/dns_server.c index 41a3210..a6fddef 100644 --- a/src/dns_server.c +++ b/src/dns_server.c @@ -636,6 +636,15 @@ static void _dns_server_post_context_init(struct dns_server_post_context *contex context->request = request; } +static void _dns_server_context_add_ip(struct dns_server_post_context *context, const unsigned char *ip_addr) +{ + if (context->ip_num < MAX_IP_NUM) { + context->ip_addr[context->ip_num] = ip_addr; + } + + context->ip_num++; +} + static void _dns_server_post_context_init_from(struct dns_server_post_context *context, struct dns_request *request, struct dns_packet *packet, unsigned char *inpacket, int inpacket_len) { @@ -900,8 +909,7 @@ static int _dns_rrs_add_all_best_ip(struct dns_server_post_context *context) } } - context->ip_addr[context->ip_num] = addr_map->ip_addr; - context->ip_num++; + _dns_server_context_add_ip(context, addr_map->ip_addr); if (addr_map->addr_type == DNS_T_A) { ret |= dns_add_A(context->packet, DNS_RRS_AN, domain, request->ip_ttl, addr_map->ip_addr); } else if (addr_map->addr_type == DNS_T_AAAA) { @@ -954,8 +962,7 @@ static int _dns_add_rrs(struct dns_server_post_context *context) /* add A record */ if (request->has_ip && context->do_force_soa == 0) { - context->ip_addr[0] = request->ip_addr; - context->ip_num++; + _dns_server_context_add_ip(context, request->ip_addr); if (context->qtype == DNS_T_A) { ret |= dns_add_A(context->packet, DNS_RRS_AN, domain, request->ip_ttl, request->ip_addr); tlog(TLOG_DEBUG, "result: %s, rtt: %.1f ms, %d.%d.%d.%d", request->domain, ((float)request->ping_time) / 10, @@ -3250,8 +3257,7 @@ static int _dns_server_get_answer(struct dns_server_post_context *context) continue; } - context->ip_addr[context->ip_num] = addr_map->ip_addr; - context->ip_num++; + _dns_server_context_add_ip(context, addr_map->ip_addr); if (request->has_ip == 1) { continue; } @@ -3283,8 +3289,7 @@ static int _dns_server_get_answer(struct dns_server_post_context *context) continue; } - context->ip_addr[context->ip_num] = addr_map->ip_addr; - context->ip_num++; + _dns_server_context_add_ip(context, addr_map->ip_addr); if (request->has_ip == 1) { continue; } @@ -3979,6 +3984,10 @@ static void _dns_server_get_domain_rule_by_domain(struct dns_request *request, c /* reverse domain string */ domain_len = strlen(domain); + if (domain_len >= (int)sizeof(domain_key) - 2) { + return; + } + reverse_string(domain_key, domain, domain_len, 1); domain_key[domain_len] = '.'; domain_len++;