From ca543240380475d888d660ea3296fc880ce52f35 Mon Sep 17 00:00:00 2001 From: Mark Andrews Date: Wed, 15 Jul 2020 16:07:51 +1000 Subject: [PATCH] bind: Always keep a copy of the message this allows it to be available even when dns_message_parse() returns a error. Upstream-Status: Backport CVE: CVE-2020-8622 Signed-off-by: Li Zhou --- lib/dns/message.c | 24 +++++++++++++----------- 1 file changed, 13 insertions(+), 11 deletions(-) diff --git a/lib/dns/message.c b/lib/dns/message.c index ac637a2..39ed80f 100644 --- a/lib/dns/message.c +++ b/lib/dns/message.c @@ -1679,6 +1679,19 @@ dns_message_parse(dns_message_t *msg, isc_buffer_t *source, msg->header_ok = 0; msg->question_ok = 0; + if ((options & DNS_MESSAGEPARSE_CLONEBUFFER) == 0) { + isc_buffer_usedregion(&origsource, &msg->saved); + } else { + msg->saved.length = isc_buffer_usedlength(&origsource); + msg->saved.base = isc_mem_get(msg->mctx, msg->saved.length); + if (msg->saved.base == NULL) { + return (ISC_R_NOMEMORY); + } + memmove(msg->saved.base, isc_buffer_base(&origsource), + msg->saved.length); + msg->free_saved = 1; + } + isc_buffer_remainingregion(source, &r); if (r.length < DNS_MESSAGE_HEADERLEN) return (ISC_R_UNEXPECTEDEND); @@ -1754,17 +1767,6 @@ dns_message_parse(dns_message_t *msg, isc_buffer_t *source, } truncated: - if ((options & DNS_MESSAGEPARSE_CLONEBUFFER) == 0) - isc_buffer_usedregion(&origsource, &msg->saved); - else { - msg->saved.length = isc_buffer_usedlength(&origsource); - msg->saved.base = isc_mem_get(msg->mctx, msg->saved.length); - if (msg->saved.base == NULL) - return (ISC_R_NOMEMORY); - memmove(msg->saved.base, isc_buffer_base(&origsource), - msg->saved.length); - msg->free_saved = 1; - } if (ret == ISC_R_UNEXPECTEDEND && ignore_tc) return (DNS_R_RECOVERABLE); -- 1.9.1