diff options
author | Waldemar Brodkorb <wbx@openadk.org> | 2016-01-17 15:47:22 +0100 |
---|---|---|
committer | Waldemar Brodkorb <wbx@uclibc-ng.org> | 2016-01-31 17:39:45 +0100 |
commit | d9c3a16dcab57d6b56225b9a67e9119cc9e2e4ac (patch) | |
tree | 88b9953b18c0017f7bef502e12ac645acbe26652 | |
parent | 27f1b2c66c67e601dd619a1def70a8fd7ca5eeba (diff) |
Do not follow compressed items forever.
It is possible to get stuck in an infinite loop when receiving a
specially crafted DNS reply. Exit the loop after a number of iteration
and consider the packet invalid.
Signed-off-by: Daniel Fahlgren <daniel@fahlgren.se>
Signed-off-by: Waldemar Brodkorb <wbx@uclibc-ng.org>
-rw-r--r-- | libc/inet/resolv.c | 5 |
1 files changed, 4 insertions, 1 deletions
diff --git a/libc/inet/resolv.c b/libc/inet/resolv.c index eb663ac0f..5dca90746 100644 --- a/libc/inet/resolv.c +++ b/libc/inet/resolv.c @@ -669,11 +669,12 @@ int __decode_dotted(const unsigned char *packet, bool measure = 1; unsigned total = 0; unsigned used = 0; + unsigned maxiter = 256; if (!packet) return -1; - while (1) { + while (--maxiter) { if (offset >= packet_len) return -1; b = packet[offset++]; @@ -710,6 +711,8 @@ int __decode_dotted(const unsigned char *packet, else dest[used++] = '\0'; } + if (!maxiter) + return -1; /* The null byte must be counted too */ if (measure) |