From a06951323496ee084b49e01d436616adf2d67f1b Mon Sep 17 00:00:00 2001 From: Mark Andrews Date: Thu, 16 Nov 2023 11:15:49 +1100 Subject: [PATCH] Check that buffer length in dns_message_renderbegin The maximum DNS message size is 65535 octets. Check that the buffer being passed to dns_message_renderbegin does not exceed this as the compression code assumes that all offsets are no bigger than this. --- lib/dns/include/dns/message.h | 2 +- lib/dns/message.c | 1 + 2 files changed, 2 insertions(+), 1 deletion(-) diff --git a/lib/dns/include/dns/message.h b/lib/dns/include/dns/message.h index a4b4b3ffbe..dc0c05846f 100644 --- a/lib/dns/include/dns/message.h +++ b/lib/dns/include/dns/message.h @@ -600,7 +600,7 @@ dns_message_renderbegin(dns_message_t *msg, dns_compress_t *cctx, * *\li 'cctx' be valid. * - *\li 'buffer' is a valid buffer. + *\li 'buffer' is a valid buffer with length less than 65536. * * Side Effects: * diff --git a/lib/dns/message.c b/lib/dns/message.c index 2f352dc7e7..c85e579b02 100644 --- a/lib/dns/message.c +++ b/lib/dns/message.c @@ -1735,6 +1735,7 @@ dns_message_renderbegin(dns_message_t *msg, dns_compress_t *cctx, REQUIRE(DNS_MESSAGE_VALID(msg)); REQUIRE(buffer != NULL); + REQUIRE(isc_buffer_length(buffer) < 65536); REQUIRE(msg->buffer == NULL); REQUIRE(msg->from_to_wire == DNS_MESSAGE_INTENTRENDER);