From 8fd2c99f1535901897da536264f3451a02246210 Mon Sep 17 00:00:00 2001 From: David Cermak Date: Tue, 18 Mar 2025 17:03:19 +0100 Subject: [PATCH] fix(mdns): Fix parsing incorrect txt records Issue discovered when fuzzing packet parser, received packet with inconsistent txt section caused issues on final cleanup --- components/mdns/mdns.c | 5 +++-- 1 file changed, 3 insertions(+), 2 deletions(-) diff --git a/components/mdns/mdns.c b/components/mdns/mdns.c index 388fc9599..20ee5eead 100644 --- a/components/mdns/mdns.c +++ b/components/mdns/mdns.c @@ -3593,7 +3593,7 @@ static void _mdns_result_txt_create(const uint8_t *data, size_t len, mdns_txt_it } int name_len = _mdns_txt_item_name_get_len(data + i, partLen); - if (name_len < 0) {//invalid item (no name) + if (name_len < 0 || txt_num >= num_items) {//invalid item (no name or more items than expected) i += partLen; continue; } @@ -3602,7 +3602,6 @@ static void _mdns_result_txt_create(const uint8_t *data, size_t len, mdns_txt_it HOOK_MALLOC_FAILED; goto handle_error;//error } - mdns_txt_item_t *t = &txt[txt_num]; uint8_t *value_len = &txt_value_len[txt_num]; txt_num++; @@ -3624,6 +3623,8 @@ static void _mdns_result_txt_create(const uint8_t *data, size_t len, mdns_txt_it *value_len = new_value_len; i += new_value_len; t->value = value; + } else { + t->value = NULL; } }