summaryrefslogtreecommitdiff
diff options
context:
space:
mode:
authorWaldemar Brodkorb <wbx@openadk.org>2016-01-17 15:47:22 +0100
committerWaldemar Brodkorb <wbx@uclibc-ng.org>2016-01-31 17:39:45 +0100
commitd9c3a16dcab57d6b56225b9a67e9119cc9e2e4ac (patch)
tree88b9953b18c0017f7bef502e12ac645acbe26652
parent27f1b2c66c67e601dd619a1def70a8fd7ca5eeba (diff)
Do not follow compressed items forever.
It is possible to get stuck in an infinite loop when receiving a specially crafted DNS reply. Exit the loop after a number of iteration and consider the packet invalid. Signed-off-by: Daniel Fahlgren <daniel@fahlgren.se> Signed-off-by: Waldemar Brodkorb <wbx@uclibc-ng.org>
-rw-r--r--libc/inet/resolv.c5
1 files changed, 4 insertions, 1 deletions
diff --git a/libc/inet/resolv.c b/libc/inet/resolv.c
index eb663ac0f..5dca90746 100644
--- a/libc/inet/resolv.c
+++ b/libc/inet/resolv.c
@@ -669,11 +669,12 @@ int __decode_dotted(const unsigned char *packet,
bool measure = 1;
unsigned total = 0;
unsigned used = 0;
+ unsigned maxiter = 256;
if (!packet)
return -1;
- while (1) {
+ while (--maxiter) {
if (offset >= packet_len)
return -1;
b = packet[offset++];
@@ -710,6 +711,8 @@ int __decode_dotted(const unsigned char *packet,
else
dest[used++] = '\0';
}
+ if (!maxiter)
+ return -1;
/* The null byte must be counted too */
if (measure)