[git commit] udhcp: fix a SEGV on malformed RFC1035-encoded domain name

[Denys Vlasenko]

commit: https://git.busybox.net/busybox/commit/?id=d474ffc68290e0a83651c4432eeabfa62cd51e87
branch: https://git.busybox.net/busybox/commit/?id=refs/heads/master

Signed-off-by: Denys Vlasenko <vda.linux at googlemail.com>
---
 networking/udhcp/domain_codec.c | 13 +++++++++----
 1 file changed, 9 insertions(+), 4 deletions(-)

diff --git a/networking/udhcp/domain_codec.c b/networking/udhcp/domain_codec.c
index 05cdf51..cee31f1 100644
--- a/networking/udhcp/domain_codec.c
+++ b/networking/udhcp/domain_codec.c
@@ -63,11 +63,10 @@ char* FAST_FUNC dname_dec(const uint8_t *cstr, int clen, const char *pre)
 				if (crtpos + *c + 1 > clen) /* label too long? abort */
 					return NULL;
 				if (dst)
-					memcpy(dst + len, c + 1, *c);
+					/* \3com ---> "com." */
+					((char*)mempcpy(dst + len, c + 1, *c))[0] = '.';
 				len += *c + 1;
 				crtpos += *c + 1;
-				if (dst)
-					dst[len - 1] = '.';
 			} else {
 				/* NUL: end of current domain name */
 				if (retpos == 0) {
@@ -78,7 +77,10 @@ char* FAST_FUNC dname_dec(const uint8_t *cstr, int clen, const char *pre)
 					crtpos = retpos;
 					retpos = depth = 0;
 				}
-				if (dst)
+				if (dst && len != 0)
+					/* \4host\3com\0\4host and we are at \0:
+					 * \3com was converted to "com.", change dot to space.
+					 */
 					dst[len - 1] = ' ';
 			}
 
@@ -227,6 +229,9 @@ int main(int argc, char **argv)
 	int len;
 	uint8_t *encoded;
 
+        uint8_t str[6] = { 0x00, 0x00, 0x02, 0x65, 0x65, 0x00 };
+        printf("NUL:'%s'\n",   dname_dec(str, 6, ""));
+
 #define DNAME_DEC(encoded,pre) dname_dec((uint8_t*)(encoded), sizeof(encoded), (pre))
 	printf("'%s'\n",       DNAME_DEC("\4host\3com\0", "test1:"));
 	printf("test2:'%s'\n", DNAME_DEC("\4host\3com\0\4host\3com\0", ""));