From e9a8005daa7966b3172b2f093c583ad306aa1f3b Mon Sep 17 00:00:00 2001
From: Diebbo <diego.barbieri03@libero.it>
Date: Fri, 20 Dec 2024 16:10:51 +0100
Subject: [PATCH] FIX: CVE vulnerabilities

---
 modules/pico_dns_common.c | 18 ++++++++++++++++--
 modules/pico_mdns.c       | 21 ++++++++++++++-------
 2 files changed, 30 insertions(+), 9 deletions(-)

diff --git a/modules/pico_dns_common.c b/modules/pico_dns_common.c
index 15fb8ee2..be2d281e 100644
--- a/modules/pico_dns_common.c
+++ b/modules/pico_dns_common.c
@@ -1,12 +1,12 @@
 /*********************************************************************
- * PicoTCP-NG 
+ * PicoTCP-NG
  * Copyright (c) 2020 Daniele Lacamera <root@danielinux.net>
  *
  * This file also includes code from:
  * PicoTCP
  * Copyright (c) 2012-2017 Altran Intelligent Systems
  * Authors: Toon Stegen, Jelle De Vleeschouwer
- * 
+ *
  * SPDX-License-Identifier: GPL-2.0-only OR GPL-3.0-only
  *
  * PicoTCP-NG is free software; you can redistribute it and/or modify
@@ -120,9 +120,17 @@ pico_dns_decompress_name( char *name, pico_dns_packet *packet )
     uint16_t decompressed_index = 0;
     char *label = NULL, *next = NULL;
 
+    if (!name || !packet) {
+        pico_err = PICO_ERR_EINVAL;
+        return NULL;
+    }
+
     /* Reading labels until reaching to pointer or NULL terminator.
      * Only one pointer is allowed in DNS compression, the pointer is always the last according to the RFC */
     dns_name_foreach_label_safe(label, name, next, PICO_DNS_NAMEBUF_SIZE) {
+        if (!lable || (*lable & 0xFF) >= PICO_DNS_NAMEBUF_SIZE) {
+            return NULL;
+        }
 
         uint8_t label_size = (uint8_t)(*label+1);
         if (decompressed_index + label_size >= PICO_DNS_NAMEBUF_SIZE) {
@@ -140,6 +148,12 @@ pico_dns_decompress_name( char *name, pico_dns_packet *packet )
         /* Found compression bits */
         ptr = (uint16_t)((((uint16_t) *label) & 0x003F) << 8);
         ptr = (uint16_t)(ptr | (uint16_t) *(label + 1));
+
+        /* Check if the pointer is within the packet */
+        if (ptr >= packet->len) {
+            return NULL;
+        }
+
         label = (char *)((uint8_t *)packet + ptr);
 
         dns_name_foreach_label_safe(label, label, next, PICO_DNS_NAMEBUF_SIZE-decompressed_index) {
diff --git a/modules/pico_mdns.c b/modules/pico_mdns.c
index fa98b851..fb8ca2db 100644
--- a/modules/pico_mdns.c
+++ b/modules/pico_mdns.c
@@ -1,12 +1,12 @@
 /*********************************************************************
- * PicoTCP-NG 
+ * PicoTCP-NG
  * Copyright (c) 2020 Daniele Lacamera <root@danielinux.net>
  *
  * This file also includes code from:
  * PicoTCP
  * Copyright (c) 2012-2017 Altran Intelligent Systems
  * Authors: Toon Stegen, Jelle De Vleeschouwer
- * 
+ *
  * SPDX-License-Identifier: GPL-2.0-only OR GPL-3.0-only
  *
  * PicoTCP-NG is free software; you can redistribute it and/or modify
@@ -26,6 +26,7 @@
  *
  *********************************************************************/
 #include "pico_config.h"
+#include "pico_dns_common.h"
 #include "pico_stack.h"
 #include "pico_addressing.h"
 #include "pico_socket.h"
@@ -934,7 +935,7 @@ pico_mdns_record_delete( void **record )
  *  Creates a single standalone mDNS resource record with given name, type and
  *  data.
  *
- *  @param S       TCP/IP stack reference 
+ *  @param S       TCP/IP stack reference
  *  @param url     DNS rrecord name in URL format. Will be converted to DNS
  *                 name notation format.
  *  @param _rdata  Memory buffer with data to insert in the resource record. If
@@ -1040,7 +1041,7 @@ pico_mdns_cookie_delete( void **ptr )
 /* ****************************************************************************
  *  Creates a single standalone mDNS cookie
  *
- *  @param S        TCP/IP stack reference 
+ *  @param S        TCP/IP stack reference
  *  @param qtree    DNS questions you want to insert in the cookie.
  *  @param antree   mDNS answers/authority records you want to add to cookie.
  *  @param artree   mDNS additional records you want to add to cookie.
@@ -1050,7 +1051,7 @@ pico_mdns_cookie_delete( void **ptr )
  *  @return Pointer to newly create cookie, NULL on failure.
  * ****************************************************************************/
 static struct pico_mdns_cookie *
-pico_mdns_cookie_create( struct pico_stack *S,  
+pico_mdns_cookie_create( struct pico_stack *S,
                          pico_dns_qtree qtree,
                          pico_mdns_rtree antree,
                          pico_mdns_rtree artree,
@@ -1466,7 +1467,7 @@ pico_mdns_my_records_probed( pico_mdns_rtree *records )
                         PICO_FREE(record->stack->mdns_hostname);
                     }
                     /* Re-allocate hostname from given rname */
-                    record->stack->mdns_hostname = 
+                    record->stack->mdns_hostname =
                         pico_dns_qname_to_url(found->record->rname);
                 }
 
@@ -2190,6 +2191,12 @@ pico_mdns_handle_data_as_answers_generic(struct pico_stack *S,
         return -1;
     }
 
+    // check that the number of answare/response corrispond to the number of questions
+    if (count != pico_tree_count(&S->MDNSOwnRecords)) {
+        mdns_dbg("Number of answers does not match the number of questions\n");
+        return -1;
+    }
+
     /* TODO: When receiving multiple authoritative answers, */
     /* they should be sorted in lexicographical order */
     /* (just like in pico_mdns_record_am_i_lexi_later) */
@@ -3000,7 +3007,7 @@ pico_mdns_getrecord_generic(struct pico_stack *S,  const char *url, uint16_t typ
     }
 
     /* Associate the current TCP/IP stack reference to access relevant
-     * fields/trees 
+     * fields/trees
      */
     q->stack = S;