net: dns: Fix potential buffer overflow when unpacking labels

As the loop unpacking the DNS name from records checks the current
label length on each iteration, it's also needed to update the remaining
buffer length on each iteration, otherwise the buffer length checks
doesn't work as expected.

Additionally, the remaining buffer checks while technically worked, they
were conceptually wrong and unintuitive. The buf->data pointer doesn't
move, so comparing against this pointer when adding new labels doesn't
make sense. It's more intuitive to simply compare the label size vs
the remaining buffer space.

Signed-off-by: Robert Lubos <robert.lubos@nordicsemi.no>

Author: rlubos

subsys/net/lib/dns/dns_pack.c

@@ -486,7 +486,6 @@ int mdns_unpack_query_header(struct dns_msg_t *msg, uint16_t *src_id)
 int dns_unpack_name(const uint8_t *msg, int maxlen, const uint8_t *src,
 		    struct net_buf *buf, const uint8_t **eol)
 {
-	int dest_size = net_buf_tailroom(buf);
 	const uint8_t *end_of_label = NULL;
 	const uint8_t *curr_src = src;
 	int loop_check = 0, len = -1;
@@ -525,6 +524,8 @@ int dns_unpack_name(const uint8_t *msg, int maxlen, const uint8_t *src,
 				return -EMSGSIZE;
 			}
 		} else {
+			size_t dest_size = net_buf_tailroom(buf);
+
 			/* Max label length is 64 bytes (because 2 bits are
 			 * used for pointer)
 			 */
@@ -533,8 +534,7 @@ int dns_unpack_name(const uint8_t *msg, int maxlen, const uint8_t *src,
 				return -EMSGSIZE;
 			}
 
-			if (((buf->data + label_len + 1) >=
-			     (buf->data + dest_size)) ||
+			if ((label_len + 1 >= dest_size) ||
 			    ((curr_src + label_len) >= (msg + maxlen))) {
 				return -EMSGSIZE;
 			}