Mercurial > hg > nginx-quic
comparison src/core/ngx_resolver.c @ 8471:a093dd4ce154
Resolver: fixed off-by-one read in ngx_resolver_copy().
It is believed to be harmless, and in the worst case it uses some
uninitialized memory as a part of the compression pointer length,
eventually leading to the "name is out of DNS response" error.
author | Maxim Dounin <mdounin@mdounin.ru> |
---|---|
date | Tue, 25 May 2021 15:17:38 +0300 |
parents | 2fd40ee19c20 |
children | aa5f8825f24d |
comparison
equal
deleted
inserted
replaced
8470:2fd40ee19c20 | 8471:a093dd4ce154 |
---|---|
3956 if (n == 0) { | 3956 if (n == 0) { |
3957 goto done; | 3957 goto done; |
3958 } | 3958 } |
3959 | 3959 |
3960 if (n & 0xc0) { | 3960 if (n & 0xc0) { |
3961 if (p >= last) { | |
3962 err = "name is out of DNS response"; | |
3963 goto invalid; | |
3964 } | |
3965 | |
3961 n = ((n & 0x3f) << 8) + *p; | 3966 n = ((n & 0x3f) << 8) + *p; |
3962 p = &buf[n]; | 3967 p = &buf[n]; |
3963 | 3968 |
3964 } else { | 3969 } else { |
3965 len += 1 + n; | 3970 len += 1 + n; |