diff options
author | Maxim Dounin <mdounin@mdounin.ru> | 2021-05-25 15:17:38 +0300 |
---|---|---|
committer | Maxim Dounin <mdounin@mdounin.ru> | 2021-05-25 15:17:38 +0300 |
commit | dbd4dfd19fbd4d894f1215ea84f9c8ec2b3e84fc (patch) | |
tree | 52fe5eec0f3ec04d207320beca5b274b8c52a99c | |
parent | 7199ebc203f74fd9e44595474de6bdc41740c5cf (diff) | |
download | nginx-dbd4dfd19fbd4d894f1215ea84f9c8ec2b3e84fc.tar.gz |
Resolver: fixed off-by-one read in ngx_resolver_copy().
It is believed to be harmless, and in the worst case it uses some
uninitialized memory as a part of the compression pointer length,
eventually leading to the "name is out of DNS response" error.
-rw-r--r-- | src/core/ngx_resolver.c | 5 |
1 files changed, 5 insertions, 0 deletions
diff --git a/src/core/ngx_resolver.c b/src/core/ngx_resolver.c index 63b26193d..9b1317234 100644 --- a/src/core/ngx_resolver.c +++ b/src/core/ngx_resolver.c @@ -3958,6 +3958,11 @@ ngx_resolver_copy(ngx_resolver_t *r, ngx_str_t *name, u_char *buf, u_char *src, } if (n & 0xc0) { + if (p >= last) { + err = "name is out of DNS response"; + goto invalid; + } + n = ((n & 0x3f) << 8) + *p; p = &buf[n]; |