Mercurial > hg > nginx
comparison src/core/ngx_resolver.c @ 7859:5d561a77502e stable-1.20
Resolver: fixed off-by-one read in ngx_resolver_copy().
It is believed to be harmless, and in the worst case it uses some
uninitialized memory as a part of the compression pointer length,
eventually leading to the "name is out of DNS response" error.
| author | Maxim Dounin <mdounin@mdounin.ru> |
|---|---|
| date | Tue, 25 May 2021 15:17:38 +0300 |
| parents | 7f702d35ac38 |
| children | aa5f8825f24d |
comparison
equal
deleted
inserted
replaced
| 7858:7f702d35ac38 | 7859:5d561a77502e |
|---|---|
| 3956 if (n == 0) { | 3956 if (n == 0) { |
| 3957 goto done; | 3957 goto done; |
| 3958 } | 3958 } |
| 3959 | 3959 |
| 3960 if (n & 0xc0) { | 3960 if (n & 0xc0) { |
| 3961 if (p >= last) { | |
| 3962 err = "name is out of DNS response"; | |
| 3963 goto invalid; | |
| 3964 } | |
| 3965 | |
| 3961 n = ((n & 0x3f) << 8) + *p; | 3966 n = ((n & 0x3f) << 8) + *p; |
| 3962 p = &buf[n]; | 3967 p = &buf[n]; |
| 3963 | 3968 |
| 3964 } else { | 3969 } else { |
| 3965 len += 1 + n; | 3970 len += 1 + n; |