From 660bf03cb1f918c3a0bc06b6fb603eb7443d8cf4 Mon Sep 17 00:00:00 2001
From: Liong Sauw Ming <ming@teluu.com>
Date: Mon, 22 Jun 2015 08:49:34 +0000
Subject: Re #1843 (misc): Fixed potential memory corruption problem if  DNS
 resolver receives a response with more than 8 A records.

Thank you to Oleg Grazhdan for the patch and Andrey Kovalenko for the report



git-svn-id: http://svn.pjsip.org/repos/pjproject/trunk@5115 74dad513-b988-da41-8d7b-12977e46ad98
---
 pjlib-util/src/pjlib-util/srv_resolver.c | 4 +++-
 1 file changed, 3 insertions(+), 1 deletion(-)

(limited to 'pjlib-util')

diff --git a/pjlib-util/src/pjlib-util/srv_resolver.c b/pjlib-util/src/pjlib-util/srv_resolver.c
index 5c22ac2b..a97ca0df 100644
--- a/pjlib-util/src/pjlib-util/srv_resolver.c
+++ b/pjlib-util/src/pjlib-util/srv_resolver.c
@@ -329,7 +329,9 @@ static void build_server_entries(pj_dns_srv_async_query *query_job,
 	 * Update the IP address of the corresponding SRV record.
 	 */
 	for (j=0; j<query_job->srv_cnt; ++j) {
-	    if (pj_stricmp(&rr->name, &query_job->srv[j].target_name)==0) {
+            if (pj_stricmp(&rr->name, &query_job->srv[j].target_name)==0 &&
+                query_job->srv[j].addr_cnt < ADDR_MAX_COUNT)
+            {
 		unsigned cnt = query_job->srv[j].addr_cnt;
 		query_job->srv[j].addr[cnt].s_addr = rr->rdata.a.ip_addr.s_addr;
 		/* Only increment host_resolved once per SRV record */
-- 
cgit v1.2.3