From ed28c1ba666b39581adb860bf51cdde43c84cc89 Mon Sep 17 00:00:00 2001 From: Adam Date: Mon, 26 Mar 2012 04:59:13 -0400 Subject: Fixed out of bounds memory access from malformed DNS queries that have an invalid length label. Introduced in a6a07de0daa353bcd29056a4535a9c4784c113c8. --- src/dns.cpp | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) (limited to 'src') diff --git a/src/dns.cpp b/src/dns.cpp index 2e1c751c4..be74e6aa3 100644 --- a/src/dns.cpp +++ b/src/dns.cpp @@ -760,7 +760,7 @@ DNSInfo DNSRequest::ResultIsReady(DNSHeader &header, unsigned length) else i += header.payload[i] + 1; /* skip length and label */ } } - if (length - i < 10) + if (static_cast(length - i) < 10) return std::make_pair((unsigned char*)NULL,"Incorrectly sized DNS reply"); /* XXX: We actually initialise 'rr' here including its ttl field */ -- cgit v1.2.3