diff options
| author | Waldemar Brodkorb <wbx@openadk.org> | 2016-01-17 15:47:22 +0100 | 
|---|---|---|
| committer | Waldemar Brodkorb <wbx@uclibc-ng.org> | 2016-01-31 17:39:45 +0100 | 
| commit | d9c3a16dcab57d6b56225b9a67e9119cc9e2e4ac (patch) | |
| tree | 88b9953b18c0017f7bef502e12ac645acbe26652 /libc | |
| parent | 27f1b2c66c67e601dd619a1def70a8fd7ca5eeba (diff) | |
Do not follow compressed items forever.
It is possible to get stuck in an infinite loop when receiving a
specially crafted DNS reply. Exit the loop after a number of iteration
and consider the packet invalid.
Signed-off-by: Daniel Fahlgren <daniel@fahlgren.se>
Signed-off-by: Waldemar Brodkorb <wbx@uclibc-ng.org>
Diffstat (limited to 'libc')
| -rw-r--r-- | libc/inet/resolv.c | 5 | 
1 files changed, 4 insertions, 1 deletions
| diff --git a/libc/inet/resolv.c b/libc/inet/resolv.c index eb663ac0f..5dca90746 100644 --- a/libc/inet/resolv.c +++ b/libc/inet/resolv.c @@ -669,11 +669,12 @@ int __decode_dotted(const unsigned char *packet,  	bool measure = 1;  	unsigned total = 0;  	unsigned used = 0; +	unsigned maxiter = 256;  	if (!packet)  		return -1; -	while (1) { +	while (--maxiter) {  		if (offset >= packet_len)  			return -1;  		b = packet[offset++]; @@ -710,6 +711,8 @@ int __decode_dotted(const unsigned char *packet,  		else  			dest[used++] = '\0';  	} +	if (!maxiter) +		return -1;  	/* The null byte must be counted too */  	if (measure) | 
