BUG: dns: Fix out-of-bounds read via signedness error in dns_validate_dns_response() Since the data_len field of the dns_answer_item struct was an int16_t, record length values larger than 2^15-1 were causing an integer overflow and thus may have been interpreted as negative, making us read well before the beginning of the buffer. This might have led to information disclosure or a crash. To be backported to 1.8, probably also 1.7.

commit: bc552102ad0ba14eaf83a93a5119f316fa6481f5 [log] [tgz]
author: Remi Gacogne <remi.gacogne@powerdns.com> Wed Dec 05 17:57:49 2018 +0100
committer: Willy Tarreau <w@1wt.eu> Wed Dec 12 14:44:38 2018 +0100
tree: 0bdb99270107e7588497c87facd1505dd6b6fdfe
parent: efbbdf72992cd20458259962346044cafd9331c0 [diff]
diff --git a/include/types/dns.h b/include/types/dns.h
index d7afe02..0ebe380 100644
--- a/include/types/dns.h
+++ b/include/types/dns.h

@@ -145,7 +145,7 @@
 	int16_t         priority;                  /* SRV type priority */
 	uint16_t        weight;                    /* SRV type weight */
 	int16_t         port;                      /* SRV type port */
-	int16_t         data_len;                  /* number of bytes in target below */
+	uint16_t        data_len;                  /* number of bytes in target below */
 	struct sockaddr address;                   /* IPv4 or IPv6, network format */
 	char            target[DNS_MAX_NAME_SIZE]; /* Response data: SRV or CNAME type target */
 	time_t          last_seen;                 /* When was the answer was last seen */
commit	bc552102ad0ba14eaf83a93a5119f316fa6481f5	[log] [tgz]
author	Remi Gacogne <remi.gacogne@powerdns.com>	Wed Dec 05 17:57:49 2018 +0100
committer	Willy Tarreau <w@1wt.eu>	Wed Dec 12 14:44:38 2018 +0100
tree	0bdb99270107e7588497c87facd1505dd6b6fdfe
parent	efbbdf72992cd20458259962346044cafd9331c0 [diff]