[Slirp] translate_dnssearch BUG

[Samuel Thibault]

Hello,

Michael T, le jeu. 06 janv. 2022 16:49:52 +0200, a ecrit:
> In this part of code in translate_dnssearch;
> 
> 
>     for (i = 0; i < num_domains; i++) {
>         domains[i].labels = outptr;
>         domain_mklabels(domains + i, names[i]);
>         outptr += domains[i].len;
>     }
> 
>     if (outptr == result) {
>         g_free(domains);
>         g_free(result);
>         return -1;
>     }
> 
> 
> 
> If we have 2 domains where the second one ends with "..", the string is not
> null terminated thus it may cause memory corruption issues in later usage of
> this heap allocated string.
> I was not able to dive really deep into the issue since it was not in the scope
> of my research.
> Note that we need 2 domains so we can bypass the later check and not return.

Indeed. We could just check for domains[i].len being 0 within the loop
instead of just checking the end result. That'd however mean rejecting
all the search names whenever one of them is faulty, does it sound
right?

Samuel