[Dnsmasq-discuss] [PATCH] Ensure resize_packet() does not overflow header

[Dominique Martinet]

This is a "fix" for OSV-2022-785 (oss-fuzz automated report that
apparently hasn't been looked into)

It really is a redundant safety in case something goes wrong when
finding pheader: the only caller of resize_packet() with a pheader are
shortly after find_pseudoheader(), which follows the same logic as
resize_packet such as when the "faulty" memmove is run we have
  packet <= ansp <= pheader < pheader + plen <= header + hlen

As such, the real code here really shouldn't ever trigger this overflow
and the fuzzer does not reproduce a realistic workload, but bugs can
happen so it might be safer to check in case a malicious packet could
cause the code between find_pseudoheader and reply_packet to modify
something unexpected.

Link: https://bugs.chromium.org/p/oss-fuzz/issues/detail?id=50617
Link: https://osv.dev/vulnerability/OSV-2022-785
---
This is just a drive-by patch as I noticed these silly oss-fuzz issues
looking at some security reporting tools, but in all honesty feel free
to refuse this. (I've also complained on the oss-fuzz issue)

Thanks!

 src/rfc1035.c | 4 ++++
 1 file changed, 4 insertions(+)

diff --git a/src/rfc1035.c b/src/rfc1035.c
index 387d894a25df..3be2f1748f14 100644
--- a/src/rfc1035.c
+++ b/src/rfc1035.c
@@ -338,6 +338,10 @@ size_t resize_packet(struct dns_header *header, size_t plen, unsigned char *phea
   /* restore pseudoheader */
   if (pheader && ntohs(header->arcount) == 0)
     {
+      /* pseudoheader does not fit: return original packet. This should never
+       * happen as pheader should be strictly within header after current ansp */
+      if (!CHECK_LEN(header, ansp, plen, hlen))
+        return plen;
       /* must use memmove, may overlap */
       memmove(ansp, pheader, hlen);
       header->arcount = htons(1);
-- 
2.39.2