On Sat, Oct 30, 2010 at 05:28:42PM +0200, Gilles Chehade wrote:
> It was a typo indeed, tarball has been updated and also contains a fix for
> a crash experienced by todd@ when using "relay via"
>
> Gilles
I had a look at the pack.c file where the DNS compression is being handled.
It looks good to me. But I have one concern that needs to be confirmed.
In function dname_expand() on lines:
54 ptr = 256 * (n & ~0xc0) + data[offset + 1];
55 if (ptr >= offset)
56 return (-1);
The pointer is checked against offset meaning that a compression loop can't
occur. This is good. However what happens if you have a DNS reply packet
with a name with two labels in it, one being a normal label of a name and the
second being a compression pointer that points back to the first label,
kinda like so..
[8]centroid[C0 back to 8]
I'm worried it might go into an infinite loop or crash even.
Perhaps it should check that it cannot go back to a label inside a dns name that
is being parsed.
Otherwise rockin' code! I don't understand it all but the little I do it looks
really high quality!
-peter
