FIXING main vul

modules/pico_dns_client.c

@@ -1,12 +1,12 @@
 /*********************************************************************
- * PicoTCP-NG 
+ * PicoTCP-NG
  * Copyright (c) 2020 Daniele Lacamera <[email protected]>
  *
  * This file also includes code from:
  * PicoTCP
  * Copyright (c) 2012-2017 Altran Intelligent Systems
  * Authors: Kristof Roelants
- * 
+ *
  * SPDX-License-Identifier: GPL-2.0-only OR GPL-3.0-only
  *
  * PicoTCP-NG is free software; you can redistribute it and/or modify
@@ -596,9 +596,6 @@ static void pico_dns_client_callback(uint16_t ev, struct pico_socket *s)
     }
 
     header = (struct pico_dns_header *)dns_response;
-    domain = (char *)header + sizeof(struct pico_dns_header);
-    qsuffix = (struct pico_dns_question_suffix *)pico_dns_client_seek(domain);
-    /* valid asuffix is determined dynamically later on */
 
     if (pico_dns_client_check_header(header) < 0)
         return;
@@ -607,6 +604,11 @@ static void pico_dns_client_callback(uint16_t ev, struct pico_socket *s)
     if (!q)
         return;
 
+    // FIX: what if the query is not a PTR query?
+    domain = (char *)header + sizeof(struct pico_dns_header);
+    qsuffix = (struct pico_dns_question_suffix *)pico_dns_client_seek(domain);
+    /* valid asuffix is determined dynamically later on */
+
     if (pico_dns_client_check_qsuffix(qsuffix, q) < 0)
         return;
 
@@ -873,4 +875,3 @@ int pico_dns_client_init(struct pico_stack *S)
 
 
 #endif /* PICO_SUPPORT_DNS_CLIENT */
-

modules/pico_dns_common.c

@@ -1,12 +1,12 @@
 /*********************************************************************
- * PicoTCP-NG 
+ * PicoTCP-NG
  * Copyright (c) 2020 Daniele Lacamera <[email protected]>
  *
  * This file also includes code from:
  * PicoTCP
  * Copyright (c) 2012-2017 Altran Intelligent Systems
  * Authors: Toon Stegen, Jelle De Vleeschouwer
- * 
+ *
  * SPDX-License-Identifier: GPL-2.0-only OR GPL-3.0-only
  *
  * PicoTCP-NG is free software; you can redistribute it and/or modify
@@ -120,9 +120,17 @@ pico_dns_decompress_name( char *name, pico_dns_packet *packet )
     uint16_t decompressed_index = 0;
     char *label = NULL, *next = NULL;
 
+    if (!name || !packet) {
+        pico_err = PICO_ERR_EINVAL;
+        return NULL;
+    }
+
     /* Reading labels until reaching to pointer or NULL terminator.
      * Only one pointer is allowed in DNS compression, the pointer is always the last according to the RFC */
     dns_name_foreach_label_safe(label, name, next, PICO_DNS_NAMEBUF_SIZE) {
+        if (!lable || (*lable & 0xFF) >= PICO_DNS_NAMEBUF_SIZE) {
+            return NULL;
+        }
 
         uint8_t label_size = (uint8_t)(*label+1);
         if (decompressed_index + label_size >= PICO_DNS_NAMEBUF_SIZE) {
@@ -140,6 +148,12 @@ pico_dns_decompress_name( char *name, pico_dns_packet *packet )
         /* Found compression bits */
         ptr = (uint16_t)((((uint16_t) *label) & 0x003F) << 8);
         ptr = (uint16_t)(ptr | (uint16_t) *(label + 1));
+
+        /* Check if the pointer is within the packet */
+        if (ptr >= packet->len) {
+            return NULL;
+        }
+
         label = (char *)((uint8_t *)packet + ptr);
 
         dns_name_foreach_label_safe(label, label, next, PICO_DNS_NAMEBUF_SIZE-decompressed_index) {

modules/pico_dns_sd.c

@@ -1,12 +1,12 @@
 /*********************************************************************
- * PicoTCP-NG 
+ * PicoTCP-NG
  * Copyright (c) 2020 Daniele Lacamera <[email protected]>
  *
  * This file also includes code from:
  * PicoTCP
  * Copyright (c) 2012-2017 Altran Intelligent Systems
  * Authors: Jelle De Vleeschouwer
- * 
+ *
  * SPDX-License-Identifier: GPL-2.0-only OR GPL-3.0-only
  *
  * PicoTCP-NG is free software; you can redistribute it and/or modify
@@ -73,9 +73,26 @@ pico_dns_sd_kv_vector_strlen( kv_vector *vector )
     /* Iterate over the key-value pairs */
     for (i = 0; i < vector->count; i++) {
         iterator = pico_dns_sd_kv_vector_get(vector, i);
+
+        if (!iterator || iterator->key){
+            pico_err = PICO_ERR_EINVAL;
+            return 0;
+        }
+
+        if (len + 1u + strlen(iterator->key) > PICO_DNS_SD_KV_MAXLEN) {
+            pico_err = PICO_ERR_EINVAL;
+            return 0;
+        }
+
         len = (uint16_t) (len + 1u + /* Length byte */
                           strlen(iterator->key) /* Length of the key */);
+
         if (iterator->value) {
+            if (len + 1u + strlen(iterator->value) > PICO_DNS_SD_KV_MAXLEN) {
+                pico_err = PICO_ERR_EINVAL;
+                return 0;
+            }
+
             len = (uint16_t) (len + 1u /* '=' char */ +
                               strlen(iterator->value) /* Length of value */);
         }

modules/pico_dns_sd.h

@@ -1,11 +1,11 @@
 /*********************************************************************
- * PicoTCP-NG 
+ * PicoTCP-NG
  * Copyright (c) 2020 Daniele Lacamera <[email protected]>
  *
  * This file also includes code from:
  * PicoTCP
  * Copyright (c) 2012-2017 Altran Intelligent Systems
- * 
+ *
  * SPDX-License-Identifier: GPL-2.0-only OR GPL-3.0-only
  *
  * PicoTCP-NG is free software; you can redistribute it and/or modify
@@ -44,6 +44,11 @@ typedef struct
 #define PICO_DNS_SD_KV_VECTOR_DECLARE(name) \
     kv_vector (name) = {0}
 
+/* ****************************************************************************
+ *  Maximum length of a key-value pair.
+ * ****************************************************************************/
+#define PICO_DNS_SD_KV_MAXLEN (0xFFFFu)
+
 /* ****************************************************************************
  *  Just calls pico_mdns_init in it's turn to initialise the mDNS-module.
  *  See pico_mdns.h for description.
@@ -108,4 +113,3 @@ pico_dns_sd_kv_vector_add( kv_vector *vector, char *key, char *value );
 
 
 #endif /* _INCLUDE_PICO_DNS_SD */
-

modules/pico_mdns.c

@@ -1,12 +1,12 @@
 /*********************************************************************
- * PicoTCP-NG 
+ * PicoTCP-NG
  * Copyright (c) 2020 Daniele Lacamera <[email protected]>
  *
  * This file also includes code from:
  * PicoTCP
  * Copyright (c) 2012-2017 Altran Intelligent Systems
  * Authors: Toon Stegen, Jelle De Vleeschouwer
- * 
+ *
  * SPDX-License-Identifier: GPL-2.0-only OR GPL-3.0-only
  *
  * PicoTCP-NG is free software; you can redistribute it and/or modify
@@ -26,6 +26,7 @@
  *
  *********************************************************************/
 #include "pico_config.h"
+#include "pico_dns_common.h"
 #include "pico_stack.h"
 #include "pico_addressing.h"
 #include "pico_socket.h"
@@ -934,7 +935,7 @@ pico_mdns_record_delete( void **record )
  *  Creates a single standalone mDNS resource record with given name, type and
  *  data.
  *
- *  @param S       TCP/IP stack reference 
+ *  @param S       TCP/IP stack reference
  *  @param url     DNS rrecord name in URL format. Will be converted to DNS
  *                 name notation format.
  *  @param _rdata  Memory buffer with data to insert in the resource record. If
@@ -1040,7 +1041,7 @@ pico_mdns_cookie_delete( void **ptr )
 /* ****************************************************************************
  *  Creates a single standalone mDNS cookie
  *
- *  @param S        TCP/IP stack reference 
+ *  @param S        TCP/IP stack reference
  *  @param qtree    DNS questions you want to insert in the cookie.
  *  @param antree   mDNS answers/authority records you want to add to cookie.
  *  @param artree   mDNS additional records you want to add to cookie.
@@ -1050,7 +1051,7 @@ pico_mdns_cookie_delete( void **ptr )
  *  @return Pointer to newly create cookie, NULL on failure.
  * ****************************************************************************/
 static struct pico_mdns_cookie *
-pico_mdns_cookie_create( struct pico_stack *S,  
+pico_mdns_cookie_create( struct pico_stack *S,
                          pico_dns_qtree qtree,
                          pico_mdns_rtree antree,
                          pico_mdns_rtree artree,
@@ -1466,7 +1467,7 @@ pico_mdns_my_records_probed( pico_mdns_rtree *records )
                         PICO_FREE(record->stack->mdns_hostname);
                     }
                     /* Re-allocate hostname from given rname */
-                    record->stack->mdns_hostname = 
+                    record->stack->mdns_hostname =
                         pico_dns_qname_to_url(found->record->rname);
                 }
 
@@ -2190,6 +2191,12 @@ pico_mdns_handle_data_as_answers_generic(struct pico_stack *S,
         return -1;
     }
 
+    // check that the number of answare/response corrispond to the number of questions
+    if (count != pico_tree_count(&S->MDNSOwnRecords)) {
+        mdns_dbg("Number of answers does not match the number of questions\n");
+        return -1;
+    }
+
     /* TODO: When receiving multiple authoritative answers, */
     /* they should be sorted in lexicographical order */
     /* (just like in pico_mdns_record_am_i_lexi_later) */
@@ -3000,7 +3007,7 @@ pico_mdns_getrecord_generic(struct pico_stack *S,  const char *url, uint16_t typ
     }
 
     /* Associate the current TCP/IP stack reference to access relevant
-     * fields/trees 
+     * fields/trees
      */
     q->stack = S;
 

modules/pico_mdns.h

@@ -1,11 +1,11 @@
 /* ****************************************************************************
- * PicoTCP-NG 
+ * PicoTCP-NG
  * Copyright (c) 2020 Daniele Lacamera <[email protected]>
  *
  * This file also includes code from:
  * PicoTCP
  * Copyright (c) 2012-2017 Altran Intelligent Systems
- * 
+ *
  * SPDX-License-Identifier: GPL-2.0-only OR GPL-3.0-only
  *
  * PicoTCP-NG is free software; you can redistribute it and/or modify