mDNS compressed pointer: Validate offset before jumping

jonatanolofsson · jonatanolofsson · commit 1d702d58c52c · 2018-03-06T22:52:27.000+01:00
diff --git a/libraries/ESP8266WiFi/src/include/UdpContext.h b/libraries/ESP8266WiFi/src/include/UdpContext.h
@@ -151,10 +151,14 @@ class UdpContext
 
     void seek(const size_t pos)
     {
-        assert(pos <= _rx_buf->len);
+        assert(isValidOffset(pos));
         _rx_buf_offset = pos;
     }
 
+    bool isValidOffset(const size_t pos) const {
+        return (pos <= _rx_buf->len);
+    }
+
     uint32_t getRemoteAddress()
     {
         if (!_rx_buf)
diff --git a/libraries/ESP8266mDNS/ESP8266mDNS.cpp b/libraries/ESP8266mDNS/ESP8266mDNS.cpp
@@ -550,15 +550,24 @@ void MDNSResponder::_parsePacket(){
         }
         if (tmp8 & 0xC0) { // Compressed pointer
           uint16_t offset = ((((uint16_t)tmp8) & ~0xC0) << 8) | _conn_read8();
-          last_bufferpos  = _conn->tell();
+          if (_conn->isValidOffset(offset)) {
+              last_bufferpos  = _conn->tell();
 #ifdef DEBUG_ESP_MDNS_RX
-          DEBUG_ESP_PORT.print("Compressed pointer, jumping from ");
-          DEBUG_ESP_PORT.print(last_bufferpos);
-          DEBUG_ESP_PORT.print(" to ");
-          DEBUG_ESP_PORT.println(offset);
+              DEBUG_ESP_PORT.print("Compressed pointer, jumping from ");
+              DEBUG_ESP_PORT.print(last_bufferpos);
+              DEBUG_ESP_PORT.print(" to ");
+              DEBUG_ESP_PORT.println(offset);
 #endif
-          _conn->seek(offset);
-          tmp8 = _conn_read8();
+              _conn->seek(offset);
+              tmp8 = _conn_read8();
+          }
+          else {
+#ifdef DEBUG_ESP_MDNS_RX
+              DEBUG_ESP_PORT.print("Skipping malformed compressed pointer");
+#endif
+              tmp8 = _conn_read8();
+              break;
+          }
         }
         if(stringsRead > 3){
 #ifdef DEBUG_ESP_MDNS_RX
@@ -661,15 +670,24 @@ void MDNSResponder::_parsePacket(){
         tmp8 = _conn_read8();
         if (tmp8 & 0xC0) { // Compressed pointer
           uint16_t offset = ((((uint16_t)tmp8) & ~0xC0) << 8) | _conn_read8();
-          last_bufferpos = _conn->tell();
+          if (_conn->isValidOffset(offset)) {
+              last_bufferpos = _conn->tell();
 #ifdef DEBUG_ESP_MDNS_RX
-          DEBUG_ESP_PORT.print("Compressed pointer, jumping from ");
-          DEBUG_ESP_PORT.print(last_bufferpos);
-          DEBUG_ESP_PORT.print(" to ");
-          DEBUG_ESP_PORT.println(offset);
+              DEBUG_ESP_PORT.print("Compressed pointer, jumping from ");
+              DEBUG_ESP_PORT.print(last_bufferpos);
+              DEBUG_ESP_PORT.print(" to ");
+              DEBUG_ESP_PORT.println(offset);
 #endif
-          _conn->seek(offset);
-          tmp8 = _conn_read8();
+              _conn->seek(offset);
+              tmp8 = _conn_read8();
+          }
+          else {
+#ifdef DEBUG_ESP_MDNS_RX
+              DEBUG_ESP_PORT.print("Skipping malformed compressed pointer");
+#endif
+              tmp8 = _conn_read8();
+              break;
+          }
         }
         _conn_readS(answerHostName, tmp8);
         answerHostName[tmp8] = '\0';

Original file line number	Diff line number	Diff line change
`@@ -151,10 +151,14 @@ class UdpContext`
`151`	`151`
`152`	`152`	`void seek(const size_t pos)`
`153`	`153`	`{`
`154`		`- assert(pos <= _rx_buf->len);`
	`154`	`+ assert(isValidOffset(pos));`
`155`	`155`	`_rx_buf_offset = pos;`
`156`	`156`	`}`
`157`	`157`
	`158`	`+ bool isValidOffset(const size_t pos) const {`
	`159`	`+ return (pos <= _rx_buf->len);`
	`160`	`+ }`
	`161`	`+`
`158`	`162`	`uint32_t getRemoteAddress()`
`159`	`163`	`{`
`160`	`164`	`if (!_rx_buf)`