search

mjansson / mdns

Public domain mDNS/DNS-SD library in C
The Unlicense
437 stars 117 forks source link

mdns_multiquery_send can run over the buffer #80

Closed MattC11 closed 3 months ago

MattC11 commented 8 months ago

Line 1112 to 1115 of mdns.h is:

if (!data)
    return -1;
// Record type
data = mdns_htons(data, query[iq].type);
//! Optional unicast response based on local port, class IN
data = mdns_htons(data, rclass);

While !data is checked it can still be pointing very near the end of the buffer, and mdns_htons will write memcpy past the end of the buffer. It should have the same check that is used elsewhere

if (!data)
    return -1;
// Record type
size_t remain = capacity - MDNS_POINTER_DIFF(data, buffer);
if (remain < 4)
    return 0;
data = mdns_htons(data, query[iq].type);
//! Optional unicast response based on local port, class IN
data = mdns_htons(data, rclass);
mjansson commented 3 months ago

This is in send path so not super critical, but good point - fixed now