Test for ns_parserr() and got a heap-buffer-overflow In ns_name_skip of ns_name.c, there is a possible out of bounds read due to a missing bounds check. This could lead to remote denial of service with no additional execution privileges needed. User interaction is not needed for exploitation. Bug: 137346580 Test: built, flashed, booted Test: ns_parserr_fuzzer test Change-Id: Ib023bd9b2ae97795d64195de9922a6a32d7b2f37

commit: 2cc76462e586fde49145300d0602a208b69b5c23 [log] [tgz]
author: chenbruce <chenbruce@google.com> Tue Jul 30 12:15:54 2019 +0800
committer: chenbruce <chenbruce@google.com> Thu Aug 29 22:18:37 2019 +0800
tree: de2f5bdd517f53dc0a7e517e2ca80fe774041656
parent: c2a722f5d77911afd199f452b03d9c15fbe645f8 [diff]
diff --git a/libc/dns/nameser/ns_name.c b/libc/dns/nameser/ns_name.c
index 3a202c1..c2dc80f 100644
--- a/libc/dns/nameser/ns_name.c
+++ b/libc/dns/nameser/ns_name.c

@@ -692,7 +692,7 @@
 {
 	const u_char *cp;
 	u_int n;
-	int l;
+	int l=0;
 
 	cp = *ptrptr;
 	while (cp < eom && (n = *cp++) != 0) {
@@ -702,7 +702,7 @@
 			cp += n;
 			continue;
 		case NS_TYPE_ELT: /* EDNS0 extended label */
-			if ((l = labellen(cp - 1)) < 0) {
+			if (cp < eom && (l = labellen(cp - 1)) < 0) {
 				errno = EMSGSIZE; /* XXX */
 				return(-1);
 			}
commit	2cc76462e586fde49145300d0602a208b69b5c23	[log] [tgz]
author	chenbruce <chenbruce@google.com>	Tue Jul 30 12:15:54 2019 +0800
committer	chenbruce <chenbruce@google.com>	Thu Aug 29 22:18:37 2019 +0800
tree	de2f5bdd517f53dc0a7e517e2ca80fe774041656
parent	c2a722f5d77911afd199f452b03d9c15fbe645f8 [diff]