net: dns: dispatcher: fix OOB array access

JordanYates · kartben · commit 0f1d7d3b59a5 · 2025-05-14T14:11:11.000+02:00
Validate that the file descriptor is not a negative number before
writing to the `dispatch_table` `ctx` field. Setting file descriptors
to `-1` is the standard "not in use" value, and in fact the entire array
of `fds` is set to this value in `dns_resolve_init_locked`. This
resolves memory corruption of whichever variable is unfortunate to exist
just before `dispatch_table` in memory.

Signed-off-by: Jordan Yates &lt;jordan@embeint.com&gt;
diff --git a/subsys/net/lib/dns/dispatcher.c b/subsys/net/lib/dns/dispatcher.c
@@ -345,6 +345,10 @@ int dns_dispatcher_unregister(struct dns_socket_dispatcher *ctx)
 			goto out;
 		}
 
+		if (ctx->fds[i].fd < 0) {
+			continue;
+		}
+
 		dispatch_table[ctx->fds[i].fd].ctx = NULL;
 	}
 

Original file line number	Diff line number	Diff line change
`@@ -345,6 +345,10 @@ int dns_dispatcher_unregister(struct dns_socket_dispatcher *ctx)`
`345`	`345`	`goto out;`
`346`	`346`	`}`
`347`	`347`
	`348`	`+ if (ctx->fds[i].fd < 0) {`
	`349`	`+ continue;`
	`350`	`+ }`
	`351`	`+`
`348`	`352`	`dispatch_table[ctx->fds[i].fd].ctx = NULL;`
`349`	`353`	`}`
`350`	`354`