From 7910e5a36ed3b856050f8e10709c6148d834bf00 Mon Sep 17 00:00:00 2001
From: Thiago Macieira <thiago.macieira@intel.com>
Date: Tue, 7 May 2024 07:54:32 -0700
Subject: [PATCH] QDnsLookup/Unix: check size in parsing of SRV records
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit

We need at least 7 bytes: three 16-bit numeric fields and the hostname,
for which we need at least one byte and expandHost() takes care of
checking size further.

Pick-to: 6.5
Change-Id: Ic5b1273bb0204c31afd8fffd17cd3c9ba3c9fec7
Reviewed-by: Mårten Nordheim <marten.nordheim@qt.io>
(cherry picked from commit 55c6d6c86bf092401a4876faead603561cc54d50)
Reviewed-by: Qt Cherry-pick Bot <cherrypick_bot@qt-project.org>
---
 src/network/kernel/qdnslookup_unix.cpp | 2 ++
 1 file changed, 2 insertions(+)

diff --git a/src/network/kernel/qdnslookup_unix.cpp b/src/network/kernel/qdnslookup_unix.cpp
index 6cdd4e3adfd..bb13dcbdf06 100644
--- a/src/network/kernel/qdnslookup_unix.cpp
+++ b/src/network/kernel/qdnslookup_unix.cpp
@@ -356,6 +356,8 @@ void QDnsLookupRunnable::query(QDnsLookupReply *reply)
                 return reply->makeInvalidReplyError(QDnsLookup::tr("Invalid mail exchange record"));
             reply->mailExchangeRecords.append(record);
         } else if (type == QDnsLookup::SRV) {
+            if (size < 7)
+                return reply->makeInvalidReplyError(QDnsLookup::tr("Invalid service record"));
             const quint16 priority = qFromBigEndian<quint16>(response + offset);
             const quint16 weight = qFromBigEndian<quint16>(response + offset + 2);
             const quint16 port = qFromBigEndian<quint16>(response + offset + 4);