fix(mdns): Fix parsing incorrect txt records

david-cermak · david-cermak · commit 8fd2c99f1535 · 2025-03-21T12:40:12.000+01:00
Issue discovered when fuzzing packet parser,
received packet with inconsistent txt section caused issues on final cleanup
diff --git a/components/mdns/mdns.c b/components/mdns/mdns.c
@@ -3593,7 +3593,7 @@ static void _mdns_result_txt_create(const uint8_t *data, size_t len, mdns_txt_it
         }
 
         int name_len = _mdns_txt_item_name_get_len(data + i, partLen);
-        if (name_len < 0) {//invalid item (no name)
+        if (name_len < 0 || txt_num >= num_items) {//invalid item (no name or more items than expected)
             i += partLen;
             continue;
         }
@@ -3602,7 +3602,6 @@ static void _mdns_result_txt_create(const uint8_t *data, size_t len, mdns_txt_it
             HOOK_MALLOC_FAILED;
             goto handle_error;//error
         }
-
         mdns_txt_item_t *t = &txt[txt_num];
         uint8_t *value_len = &txt_value_len[txt_num];
         txt_num++;
@@ -3624,6 +3623,8 @@ static void _mdns_result_txt_create(const uint8_t *data, size_t len, mdns_txt_it
             *value_len = new_value_len;
             i += new_value_len;
             t->value = value;
+        } else {
+            t->value = NULL;
         }
     }
 

Original file line number	Diff line number	Diff line change
`@@ -3593,7 +3593,7 @@ static void _mdns_result_txt_create(const uint8_t *data, size_t len, mdns_txt_it`
`3593`	`3593`	`}`
`3594`	`3594`
`3595`	`3595`	`int name_len = _mdns_txt_item_name_get_len(data + i, partLen);`
`3596`		`- if (name_len < 0) {//invalid item (no name)`
	`3596`	`+ if (name_len < 0 \|\| txt_num >= num_items) {//invalid item (no name or more items than expected)`
`3597`	`3597`	`i += partLen;`
`3598`	`3598`	`continue;`
`3599`	`3599`	`}`
`@@ -3602,7 +3602,6 @@ static void _mdns_result_txt_create(const uint8_t *data, size_t len, mdns_txt_it`
`3602`	`3602`	`HOOK_MALLOC_FAILED;`
`3603`	`3603`	`goto handle_error;//error`
`3604`	`3604`	`}`
`3605`		`-`
`3606`	`3605`	`mdns_txt_item_t *t = &txt[txt_num];`
`3607`	`3606`	`uint8_t *value_len = &txt_value_len[txt_num];`
`3608`	`3607`	`txt_num++;`
`@@ -3624,6 +3623,8 @@ static void _mdns_result_txt_create(const uint8_t *data, size_t len, mdns_txt_it`
`3624`	`3623`	`*value_len = new_value_len;`
`3625`	`3624`	`i += new_value_len;`
`3626`	`3625`	`t->value = value;`
	`3626`	`+ } else {`
	`3627`	`+ t->value = NULL;`
`3627`	`3628`	`}`
`3628`	`3629`	`}`
`3629`	`3630`