mdns mdns_multiquery_send can run over the buffer

mdns_multiquery_send can run over the buffer

Open MattC11 opened this issue 1 year ago • 0 comments

Line 1112 to 1115 of mdns.h is:

if (!data)
    return -1;
// Record type
data = mdns_htons(data, query[iq].type);
//! Optional unicast response based on local port, class IN
data = mdns_htons(data, rclass);

While !data is checked it can still be pointing very near the end of the buffer, and mdns_htons will write memcpy past the end of the buffer. It should have the same check that is used elsewhere

if (!data)
    return -1;
// Record type
size_t remain = capacity - MDNS_POINTER_DIFF(data, buffer);
if (remain < 4)
    return 0;
data = mdns_htons(data, query[iq].type);
//! Optional unicast response based on local port, class IN
data = mdns_htons(data, rclass);

Nov 07 '23 23:11 MattC11

mdns mdns copied to clipboard

mdns_multiquery_send can run over the buffer

mdns
mdns copied to clipboard