From cbba06334e8e30c875ee85d95ae413f06de0e4ad Mon Sep 17 00:00:00 2001
From: millert <>
Date: Wed, 15 Mar 2023 22:12:00 +0000
Subject: Fix a number of out of bound reads in DNS response parsing.
 Originally from djm@.  OK deraadt@ florian@ bluhm@

---
 src/lib/libc/net/res_comp.c | 8 +++++++-
 1 file changed, 7 insertions(+), 1 deletion(-)

diff --git a/src/lib/libc/net/res_comp.c b/src/lib/libc/net/res_comp.c
index 7ccd44ad8d..ce9f92ae77 100644
--- a/src/lib/libc/net/res_comp.c
+++ b/src/lib/libc/net/res_comp.c
@@ -1,4 +1,4 @@
-/*	$OpenBSD: res_comp.c,v 1.22 2022/12/27 17:10:06 jmc Exp $	*/
+/*	$OpenBSD: res_comp.c,v 1.23 2023/03/15 22:12:00 millert Exp $	*/
 
 /*
  * ++Copyright++ 1985, 1993
@@ -82,6 +82,9 @@ dn_expand(const u_char *msg, const u_char *eomorig, const u_char *comp_dn,
 	char *eom;
 	int len = -1, checked = 0;
 
+	if (comp_dn < msg || comp_dn >= eomorig)
+		return (-1);
+
 	dn = exp_dn;
 	cp = comp_dn;
 	if (length > HOST_NAME_MAX)
@@ -91,6 +94,9 @@ dn_expand(const u_char *msg, const u_char *eomorig, const u_char *comp_dn,
 	 * fetch next label in domain name
 	 */
 	while ((n = *cp++)) {
+		if (cp >= eomorig)	/* out of range */
+			return (-1);
+
 		/*
 		 * Check for indirection
 		 */
-- 
cgit v1.2.3-55-g6feb