CVE-2017-1000381.patch

From e1f43d4d7e89ef8db479d6efd0389c6b6ee1d116 Mon Sep 17 00:00:00 2001
From: David Drysdale <drysdale@google.com>
Date: Mon, 22 May 2017 10:54:10 +0100
Subject: [PATCH 5/5] ares_parse_naptr_reply: check sufficient data

Check that there is enough data for the required elements
of an NAPTR record (2 int16, 3 bytes for string lengths)
before processing a record.
---
 ares_parse_naptr_reply.c | 7 ++++++-
 1 file changed, 6 insertions(+), 1 deletion(-)

diff --git a/ares_parse_naptr_reply.c b/ares_parse_naptr_reply.c
index 11634df9847c..717d35577811 100644
--- a/ares_parse_naptr_reply.c
+++ b/ares_parse_naptr_reply.c
@@ -110,6 +110,12 @@ ares_parse_naptr_reply (const unsigned char *abuf, int alen,
           status = ARES_EBADRESP;
           break;
         }
+      /* RR must contain at least 7 bytes = 2 x int16 + 3 x name */
+      if (rr_len < 7)
+        {
+          status = ARES_EBADRESP;
+          break;
+        }
 
       /* Check if we are really looking at a NAPTR record */
       if (rr_class == C_IN && rr_type == T_NAPTR)
@@ -185,4 +191,3 @@ ares_parse_naptr_reply (const unsigned char *abuf, int alen,
 
   return ARES_SUCCESS;
 }
-
-- 
2.13.0.303.g4ebf302169-goog