2013/4/15 Patrick Valsecchi <pvalsecc_at_cisco.com>
> The first sub-string is fine, but with the second sub-string, the code
> in ares_parse_txt.c (c-ares version 1.9.1) will have a bad behavior. The
> loop line 146 will just compute a total length of 4+255=259 and the loop
> line 164 can have two possible outcomes: crash or possible information leak.
>
Sounds reasonable. Adding a check that the last label ends on the rr_len
boundary makes a lot of sense.
IMHO, it's a security defect
>
Could be, yes. With a malicious DNS server serving TXT records.
The information leak would be restricted to the 0xFF bytes following the
RR, AFAICT.
and I wonder how many other c-ares functions are like that...
>
I have no data on that. ;)
-- TommieReceived on 2013-04-15