net: dns: Check DNS answer properly

The dns_unpack_answer() did not check the length of the message properly which can cause out of bounds read. Signed-off-by: Jukka Rissanen <[email protected]> (cherry picked from commit 6e7fcff)
zephyrproject-rtos · Dec 4, 2024 · 4556aa9 · 4556aa9
1 parent 347ea04
commit 4556aa9
Showing 1 changed file with 1 addition and 1 deletion.
diff --git a/subsys/net/lib/dns/dns_pack.c b/subsys/net/lib/dns/dns_pack.c
@@ -134,7 +134,7 @@ int dns_unpack_answer(struct dns_msg_t *dns_msg, int dname_ptr, uint32_t *ttl,
 	 *
 	 * See RFC-1035 4.1.3. Resource record format
 	 */
-	rem_size = dns_msg->msg_size - dname_len;
+	rem_size = dns_msg->msg_size - dns_msg->answer_offset - dname_len;
 	if (rem_size < 2 + 2 + 4 + 2) {
 		return -EINVAL;
 	}