From d9137653d89ed3497d8a23dc049216bd316e07ce Mon Sep 17 00:00:00 2001
From: Christian Grothoff <christian@grothoff.org>
Date: Sun, 20 May 2018 19:06:46 +0200
Subject: [PATCH] guard more carefully against integer overflows

---
 src/gns/gnunet-service-gns_resolver.c   | 14 +++++++++++---
 src/gnsrecord/gnsrecord_serialization.c | 12 ++++++++----
 2 files changed, 19 insertions(+), 7 deletions(-)

diff --git a/src/gns/gnunet-service-gns_resolver.c b/src/gns/gnunet-service-gns_resolver.c
index edb3d5231..b66516363 100644
--- a/src/gns/gnunet-service-gns_resolver.c
+++ b/src/gns/gnunet-service-gns_resolver.c
@@ -1654,6 +1654,8 @@ recursive_gns2dns_resolution (struct GNS_ResolverHandle *rh,
     size_t off;
     struct Gns2DnsPending *gp;
     struct GNUNET_CRYPTO_EcdsaPublicKey zone;
+    struct sockaddr_in v4;
+    struct sockaddr_in6 v6;
 
     if (GNUNET_GNSRECORD_TYPE_GNS2DNS != rd[i].record_type)
       continue;
@@ -1695,10 +1697,16 @@ recursive_gns2dns_resolution (struct GNS_ResolverHandle *rh,
     }
 
     /* check if 'ip' is already an IPv4/IPv6 address */
-    if (GNUNET_OK ==
-        GNUNET_DNSSTUB_add_dns_ip (ac->authority_info.dns_authority.dns_handle,
-                                   ip))
+    if ( (1 == inet_pton (AF_INET,
+                          ip,
+                          &v4)) ||
+         (1 == inet_pton (AF_INET6,
+                          ip,
+                          &v6)) )
     {
+      GNUNET_break (GNUNET_OK ==
+                    GNUNET_DNSSTUB_add_dns_ip (ac->authority_info.dns_authority.dns_handle,
+                                               ip));
       ac->authority_info.dns_authority.found = GNUNET_YES;
       GNUNET_free (ip);
       continue;
diff --git a/src/gnsrecord/gnsrecord_serialization.c b/src/gnsrecord/gnsrecord_serialization.c
index 1db27464f..6164fa3db 100644
--- a/src/gnsrecord/gnsrecord_serialization.c
+++ b/src/gnsrecord/gnsrecord_serialization.c
@@ -126,7 +126,8 @@ GNUNET_GNSRECORD_records_serialize (unsigned int rd_count,
     rec.data_size = htonl ((uint32_t) rd[i].data_size);
     rec.record_type = htonl (rd[i].record_type);
     rec.flags = htonl (rd[i].flags);
-    if (off + sizeof (rec) > dest_size)
+    if ( (off + sizeof (rec) > dest_size) ||
+         (off + sizeof (rec) < off) )
     {
       GNUNET_break (0);
       return -1;
@@ -135,7 +136,8 @@ GNUNET_GNSRECORD_records_serialize (unsigned int rd_count,
                    &rec,
                    sizeof (rec));
     off += sizeof (rec);
-    if (off + rd[i].data_size > dest_size)
+    if ( (off + rd[i].data_size > dest_size) ||
+         (off + rd[i].data_size < off) )
     {
       GNUNET_break (0);
       return -1;
@@ -185,7 +187,8 @@ GNUNET_GNSRECORD_records_deserialize (size_t len,
   off = 0;
   for (unsigned int i=0;i<rd_count;i++)
   {
-    if (off + sizeof (rec) > len)
+    if ( (off + sizeof (rec) > len) ||
+         (off + sizeof (rec) < off) )
     {
       GNUNET_break_op (0);
       return GNUNET_SYSERR;
@@ -198,7 +201,8 @@ GNUNET_GNSRECORD_records_deserialize (size_t len,
     dest[i].record_type = ntohl (rec.record_type);
     dest[i].flags = ntohl (rec.flags);
     off += sizeof (rec);
-    if (off + dest[i].data_size > len)
+    if ( (off + dest[i].data_size > len) ||
+         (off + dest[i].data_size < off) )
     {
       GNUNET_break_op (0);
       return GNUNET_SYSERR;
-- 
2.25.1