diff options
| author | Sergey Kandaurov <pluknet@nginx.com> | 2021-05-28 13:33:08 +0300 |
|---|---|---|
| committer | Sergey Kandaurov <pluknet@nginx.com> | 2021-05-28 13:33:08 +0300 |
| commit | b2b8637f98698fa8795079922d6227a2d5a3a0ad (patch) | |
| tree | b61cb2817764a4c1b49d1e9c42f31f0c834bfeb8 /src/core/ngx_resolver.c | |
| parent | 03fcff287db0d6b620f837de95116ad3a3b7e1e9 (diff) | |
| parent | 798813e96b0a948b4713e92b67ecae8116f9d08f (diff) | |
| download | nginx-b2b8637f98698fa8795079922d6227a2d5a3a0ad.tar.gz nginx-b2b8637f98698fa8795079922d6227a2d5a3a0ad.tar.bz2 | |
Merged with the default branch.
Diffstat (limited to 'src/core/ngx_resolver.c')
| -rw-r--r-- | src/core/ngx_resolver.c | 45 |
1 files changed, 27 insertions, 18 deletions
diff --git a/src/core/ngx_resolver.c b/src/core/ngx_resolver.c index 793907010..58d5f3ec4 100644 --- a/src/core/ngx_resolver.c +++ b/src/core/ngx_resolver.c @@ -1798,6 +1798,12 @@ ngx_resolver_process_response(ngx_resolver_t *r, u_char *buf, size_t n, i = sizeof(ngx_resolver_hdr_t); while (i < (ngx_uint_t) n) { + + if (buf[i] & 0xc0) { + err = "unexpected compression pointer in DNS response"; + goto done; + } + if (buf[i] == '\0') { goto found; } @@ -3939,11 +3945,11 @@ ngx_resolver_copy(ngx_resolver_t *r, ngx_str_t *name, u_char *buf, u_char *src, { char *err; u_char *p, *dst; - ssize_t len; + size_t len; ngx_uint_t i, n; p = src; - len = -1; + len = 0; /* * compression pointers allow to create endless loop, so we set limit; @@ -3958,6 +3964,16 @@ ngx_resolver_copy(ngx_resolver_t *r, ngx_str_t *name, u_char *buf, u_char *src, } if (n & 0xc0) { + if ((n & 0xc0) != 0xc0) { + err = "invalid label type in DNS response"; + goto invalid; + } + + if (p >= last) { + err = "name is out of DNS response"; + goto invalid; + } + n = ((n & 0x3f) << 8) + *p; p = &buf[n]; @@ -3986,7 +4002,7 @@ done: return NGX_OK; } - if (len == -1) { + if (len == 0) { ngx_str_null(name); return NGX_OK; } @@ -3998,30 +4014,23 @@ done: name->data = dst; - n = *src++; - for ( ;; ) { + n = *src++; + + if (n == 0) { + name->len = dst - name->data - 1; + return NGX_OK; + } + if (n & 0xc0) { n = ((n & 0x3f) << 8) + *src; src = &buf[n]; - n = *src++; - } else { ngx_strlow(dst, src, n); dst += n; src += n; - - n = *src++; - - if (n != 0) { - *dst++ = '.'; - } - } - - if (n == 0) { - name->len = dst - name->data; - return NGX_OK; + *dst++ = '.'; } } } |