since the buffer passed always has an actual size of 512 bytes, the
maximum possible response packet size, no out-of-bounds access was
possible; however, reading past the end of the valid portion of the
packet could cause the parser to attempt to process junk as answer
content.
const unsigned char *p;
int len;
+ if (rlen<12) return -1;
if ((r[3]&15)) return 0;
p = r+12;
qdcount = r[4]*256 + r[5];
if (qdcount+ancount > 64) return -1;
while (qdcount--) {
while (p-r < rlen && *p-1U < 127) p++;
- if (*p>193 || (*p==193 && p[1]>254) || p>r+506)
+ if (*p>193 || (*p==193 && p[1]>254) || p>r+rlen-6)
return -1;
p += 5 + !!*p;
}
while (ancount--) {
while (p-r < rlen && *p-1U < 127) p++;
- if (*p>193 || (*p==193 && p[1]>254) || p>r+506)
+ if (*p>193 || (*p==193 && p[1]>254) || p>r+rlen-6)
return -1;
p += 1 + !!*p;
len = p[8]*256 + p[9];