File CVE-2021-3672.patch of Package libcares2.20744

Overview Repositories Revisions Requests Users Attributes Meta

File CVE-2021-3672.patch of Package libcares2.20744

Index: c-ares-1.9.1/ares_expand_name.c
===================================================================
--- c-ares-1.9.1.orig/ares_expand_name.c
+++ c-ares-1.9.1/ares_expand_name.c
@@ -39,6 +39,26 @@
 static int name_length(const unsigned char *encoded, const unsigned char *abuf,
                        int alen);
 
+/* Reserved characters for names that need to be escaped */
+static int is_reservedch(int ch)
+{
+  switch (ch) {
+    case '"':
+    case '.':
+    case ';':
+    case '\\':
+    case '(':
+    case ')':
+    case '@':
+    case '$':
+      return 1;
+    default:
+      break;
+  }
+
+  return 0;
+}
+
 /* Expand an RFC1035-encoded domain name given by encoded.  The
  * containing message is given by abuf and alen.  The result given by
  * *s, which is set to a NUL-terminated allocated buffer.  *enclen is
@@ -114,18 +134,37 @@ int ares_expand_name(const unsigned char
         }
       else
         {
-          len = *p;
+          int name_len = *p;
+          len = name_len;
           p++;
+
           while (len--)
             {
-              if (*p == '.' || *p == '\\')
-                *q++ = '\\';
-              *q++ = *p;
+              /* Output as \DDD for consistency with RFC1035 5.1, except
+               * for the special case of a root name response  */
+              if (!isprint(*p) && !(name_len == 1 && *p == 0))
+                {
+
+                  *q++ = '\\';
+                  *q++ = '0' + *p / 100;
+                  *q++ = '0' + (*p % 100) / 10;
+                  *q++ = '0' + (*p % 10);
+                }
+              else if (is_reservedch(*p))
+                {
+                  *q++ = '\\';
+                  *q++ = *p;
+                }
+              else
+                {
+                  *q++ = *p;
+                }
               p++;
             }
           *q++ = '.';
         }
-    }
+     }
+
   if (!indir)
     *enclen = aresx_uztosl(p + 1U - encoded);
 
@@ -144,7 +183,7 @@ int ares_expand_name(const unsigned char
 static int name_length(const unsigned char *encoded, const unsigned char *abuf,
                        int alen)
 {
-  int n = 0, offset, indir = 0;
+  int n = 0, offset, indir = 0, top;
 
   /* Allow the caller to pass us abuf + alen and have us check for it. */
   if (encoded == abuf + alen)
@@ -152,7 +191,8 @@ static int name_length(const unsigned ch
 
   while (*encoded)
     {
-      if ((*encoded & INDIR_MASK) == INDIR_MASK)
+      top = (*encoded & INDIR_MASK);
+      if (top == INDIR_MASK)
         {
           /* Check the offset and go there. */
           if (encoded + 1 >= abuf + alen)
@@ -168,19 +208,40 @@ static int name_length(const unsigned ch
           if (++indir > alen)
             return -1;
         }
-      else
+      else if (top == 0x00)
         {
-          offset = *encoded;
+          int name_len = *encoded;
+          offset = name_len;
           if (encoded + offset + 1 >= abuf + alen)
             return -1;
           encoded++;
+
           while (offset--)
             {
-              n += (*encoded == '.' || *encoded == '\\') ? 2 : 1;
+              if (!isprint(*encoded) && !(name_len == 1 && *encoded == 0))
+                {
+                  n += 4;
+                }
+              else if (is_reservedch(*encoded))
+                {
+                  n += 2;
+                }
+              else
+                {
+                  n += 1;
+                }
               encoded++;
             }
+
           n++;
         }
+      else
+        {
+          /* RFC 1035 4.1.4 says other options (01, 10) for top 2
+           * bits are reserved.
+           */
+          return -1;
+        }
     }
 
   /* If there were any labels at all, then the number of dots is one

Places

File CVE-2021-3672.patch of Package libcares2.20744

Places