File CVE-2021-3672.patch of Package libcares2.29101
Index: c-ares-1.9.1/ares_expand_name.c
===================================================================
--- c-ares-1.9.1.orig/ares_expand_name.c
+++ c-ares-1.9.1/ares_expand_name.c
@@ -39,6 +39,26 @@
static int name_length(const unsigned char *encoded, const unsigned char *abuf,
int alen);
+/* Reserved characters for names that need to be escaped */
+static int is_reservedch(int ch)
+{
+ switch (ch) {
+ case '"':
+ case '.':
+ case ';':
+ case '\\':
+ case '(':
+ case ')':
+ case '@':
+ case '$':
+ return 1;
+ default:
+ break;
+ }
+
+ return 0;
+}
+
/* Expand an RFC1035-encoded domain name given by encoded. The
* containing message is given by abuf and alen. The result given by
* *s, which is set to a NUL-terminated allocated buffer. *enclen is
@@ -114,18 +134,37 @@ int ares_expand_name(const unsigned char
}
else
{
- len = *p;
+ int name_len = *p;
+ len = name_len;
p++;
+
while (len--)
{
- if (*p == '.' || *p == '\\')
- *q++ = '\\';
- *q++ = *p;
+ /* Output as \DDD for consistency with RFC1035 5.1, except
+ * for the special case of a root name response */
+ if (!isprint(*p) && !(name_len == 1 && *p == 0))
+ {
+
+ *q++ = '\\';
+ *q++ = '0' + *p / 100;
+ *q++ = '0' + (*p % 100) / 10;
+ *q++ = '0' + (*p % 10);
+ }
+ else if (is_reservedch(*p))
+ {
+ *q++ = '\\';
+ *q++ = *p;
+ }
+ else
+ {
+ *q++ = *p;
+ }
p++;
}
*q++ = '.';
}
- }
+ }
+
if (!indir)
*enclen = aresx_uztosl(p + 1U - encoded);
@@ -144,7 +183,7 @@ int ares_expand_name(const unsigned char
static int name_length(const unsigned char *encoded, const unsigned char *abuf,
int alen)
{
- int n = 0, offset, indir = 0;
+ int n = 0, offset, indir = 0, top;
/* Allow the caller to pass us abuf + alen and have us check for it. */
if (encoded == abuf + alen)
@@ -152,7 +191,8 @@ static int name_length(const unsigned ch
while (*encoded)
{
- if ((*encoded & INDIR_MASK) == INDIR_MASK)
+ top = (*encoded & INDIR_MASK);
+ if (top == INDIR_MASK)
{
/* Check the offset and go there. */
if (encoded + 1 >= abuf + alen)
@@ -168,19 +208,40 @@ static int name_length(const unsigned ch
if (++indir > alen)
return -1;
}
- else
+ else if (top == 0x00)
{
- offset = *encoded;
+ int name_len = *encoded;
+ offset = name_len;
if (encoded + offset + 1 >= abuf + alen)
return -1;
encoded++;
+
while (offset--)
{
- n += (*encoded == '.' || *encoded == '\\') ? 2 : 1;
+ if (!isprint(*encoded) && !(name_len == 1 && *encoded == 0))
+ {
+ n += 4;
+ }
+ else if (is_reservedch(*encoded))
+ {
+ n += 2;
+ }
+ else
+ {
+ n += 1;
+ }
encoded++;
}
+
n++;
}
+ else
+ {
+ /* RFC 1035 4.1.4 says other options (01, 10) for top 2
+ * bits are reserved.
+ */
+ return -1;
+ }
}
/* If there were any labels at all, then the number of dots is one
