Loops in RR compression were only detected for the first entry.
Multiple redirections should be allowed, each one checking for an
infinite loop on its own starting point.
---
src/resolve/resolved-dns-packet.c | 3 ++-
1 file changed, 2 insertions(+), 1 deletion(-)
diff --git a/src/resolve/resolved-dns-packet.c
b/src/resolve/resolved-dns-packet.c
index e5d07b3..2e549b0 100644
--- a/src/resolve/resolved-dns-packet.c
+++ b/src/resolve/resolved-dns-packet.c
@@ -873,6 +873,7 @@ int dns_packet_read_name(DnsPacket *p, char **_ret,
for (;;) {
uint8_t c, d;
+ size_t compression_start = p->rindex;
r = dns_packet_read_uint8(p, &c, NULL);
if (r < 0)
@@ -916,7 +917,7 @@ int dns_packet_read_name(DnsPacket *p, char **_ret,
goto fail;
ptr = (uint16_t) (c & ~0xc0) << 8 | (uint16_t) d;
- if (ptr < DNS_PACKET_HEADER_SIZE || ptr >=
saved_rindex) {
+ if (ptr < DNS_PACKET_HEADER_SIZE || ptr >=
compression_start) {
r = -EBADMSG;
goto fail;
}
--
2.1.2
_______________________________________________
systemd-devel mailing list
systemd-devel@lists.freedesktop.org
http://lists.freedesktop.org/mailman/listinfo/systemd-devel
