From efbbdf72992cd20458259962346044cafd9331c0 Mon Sep 17 00:00:00 2001
From: Remi Gacogne <remi.gacogne@powerdns.com>
Date: Wed, 5 Dec 2018 17:56:29 +0100
Subject: [PATCH] BUG: dns: Prevent out-of-bounds read in
 dns_validate_dns_response()

We need to make sure that the record length is not making us read
past the end of the data we received.
Before this patch we could for example read the 16 bytes
corresponding to an AAAA record from the non-initialized part of
the buffer, possibly accessing anything that was left on the stack,
or even past the end of the 8193-byte buffer, depending on the
value of accepted_payload_size.

To be backported to 1.8, probably also 1.7.
---
 src/dns.c |    5 +++++
 1 file changed, 5 insertions(+)

Index: haproxy-1.8.13/src/dns.c
===================================================================
--- haproxy-1.8.13.orig/src/dns.c
+++ haproxy-1.8.13/src/dns.c
@@ -798,6 +798,11 @@ static int dns_validate_dns_response(uns
 		/* Move forward 2 bytes for data len */
 		reader += 2;
 
+		if (reader + dns_answer_record->data_len >= bufend) {
+			pool_free(dns_answer_item_pool, dns_answer_record);
+			return DNS_RESP_INVALID;
+		}
+
 		/* Analyzing record content */
 		switch (dns_answer_record->type) {
 			case DNS_RTYPE_A: