diff options
| author | Maxim Dounin <mdounin@mdounin.ru> | 2021-05-25 15:17:41 +0300 |
|---|---|---|
| committer | Maxim Dounin <mdounin@mdounin.ru> | 2021-05-25 15:17:41 +0300 |
| commit | 3893b483ed2d90f514ffe10a5d1ac12a90b89d4e (patch) | |
| tree | 39d9b2c5536a4f288e96897a130bd61fcd8cf817 | |
| parent | dbd4dfd19fbd4d894f1215ea84f9c8ec2b3e84fc (diff) | |
| download | nginx-3893b483ed2d90f514ffe10a5d1ac12a90b89d4e.tar.gz nginx-3893b483ed2d90f514ffe10a5d1ac12a90b89d4e.tar.bz2 | |
Resolver: fixed label types handling in ngx_resolver_copy().
Previously, anything with any of the two high bits set were interpreted
as compression pointers. This is incorrect, as RFC 1035 clearly states
that "The 10 and 01 combinations are reserved for future use". Further,
the 01 combination is actually allocated for EDNS extended label type
(see RFC 2671 and RFC 6891), not really used though.
Fix is to reject unrecognized label types rather than misinterpreting
them as compression pointers.
| -rw-r--r-- | src/core/ngx_resolver.c | 5 |
1 files changed, 5 insertions, 0 deletions
diff --git a/src/core/ngx_resolver.c b/src/core/ngx_resolver.c index 9b1317234..12dab09ea 100644 --- a/src/core/ngx_resolver.c +++ b/src/core/ngx_resolver.c @@ -3958,6 +3958,11 @@ ngx_resolver_copy(ngx_resolver_t *r, ngx_str_t *name, u_char *buf, u_char *src, } if (n & 0xc0) { + if ((n & 0xc0) != 0xc0) { + err = "invalid label type in DNS response"; + goto invalid; + } + if (p >= last) { err = "name is out of DNS response"; goto invalid; |