From e3a20b3bc250cc8012e99aa2df02b07cd05fe26e Mon Sep 17 00:00:00 2001 From: Mingjie Shen Date: Fri, 14 Apr 2023 16:06:49 -0400 Subject: [PATCH] mdns: Add null check for pbuf_skip --- src/apps/mdns/mdns.c | 4 ++++ src/core/pbuf.c | 2 +- 2 files changed, 5 insertions(+), 1 deletion(-) diff --git a/src/apps/mdns/mdns.c b/src/apps/mdns/mdns.c index 24504c31..915908f0 100644 --- a/src/apps/mdns/mdns.c +++ b/src/apps/mdns/mdns.c @@ -1889,6 +1889,10 @@ mdns_handle_response(struct mdns_packet *pkt, struct netif *netif) flags = MDNS_SEARCH_RESULT_FIRST | MDNS_SEARCH_RESULT_LAST; } p = pbuf_skip(pkt->pbuf, ans.rd_offset, &offset); + if (p == NULL) { + LWIP_DEBUGF(MDNS_DEBUG, ("MDNS: Malformed response packet, aborting\n")); + return; + } if (ans.info.type == DNS_RRTYPE_PTR || ans.info.type == DNS_RRTYPE_SRV) { /* Those RR types have compressed domain name. Must uncompress here, since cannot be done without pbuf. */ diff --git a/src/core/pbuf.c b/src/core/pbuf.c index ea5e026c..1fb64d41 100644 --- a/src/core/pbuf.c +++ b/src/core/pbuf.c @@ -1203,7 +1203,7 @@ pbuf_skip_const(const struct pbuf *in, u16_t in_offset, u16_t *out_offset) * @param in input pbuf * @param in_offset offset to skip * @param out_offset resulting offset in the returned pbuf - * @return the pbuf in the queue where the offset is + * @return the pbuf in the queue where the offset is or NULL when the offset is too high */ struct pbuf * pbuf_skip(struct pbuf *in, u16_t in_offset, u16_t *out_offset)