nginx: src/core/ngx_resolver.c comparison

comparison src/core/ngx_resolver.c @ 5471:9c96782d9d05

Resolver: fixes in A processing. Verify that class of RR is "IN". Verify that RR data length is exactly four octets. Correctly shift to the next RR if RR type is unknown.

author	Ruslan Ermilov <ru@nginx.com>
date	Fri, 06 Dec 2013 14:30:27 +0400
parents	aebdca7e8f8f
children	ab493c60d9ff

comparison

equal deleted inserted replaced

-:aebdca7e8f8f
+:9c96782d9d05
 size_t                len;
 int32_t               ttl;
 uint32_t              hash;
 in_addr_t             addr, *addrs;
 ngx_str_t             name;
-ngx_uint_t            type, qident, naddrs, a, i, n, start;
+ngx_uint_t            type, class, qident, naddrs, a, i, n, start;
 ngx_resolver_an_t    *an;
 ngx_resolver_ctx_t   *ctx, *next;
 ngx_resolver_node_t  *rn;
 if (ngx_resolver_copy(r, &name, buf,
 rn = ngx_resolver_lookup_name(r, &name, hash);
 if (rn == NULL || rn->query == NULL) {
 ngx_log_error(r->log_level, r->log, 0,
 "unexpected response for %V", &name);
+ngx_resolver_free(r, name.data);
 goto failed;
 }
 qident = (rn->query[0] << 8) + rn->query[1];
 if (ident != qident) {
 ngx_log_error(r->log_level, r->log, 0,
 "wrong ident %ui response for %V, expect %ui",
 ident, &name, qident);
+ngx_resolver_free(r, name.data);
 goto failed;
 }
 ngx_resolver_free(r, name.data);
 }
 an = (ngx_resolver_an_t *) &buf[i];
 type = (an->type_hi << 8) + an->type_lo;
+class = (an->class_hi << 8) + an->class_lo;
 len = (an->len_hi << 8) + an->len_lo;
 ttl = (an->ttl[0] << 24) + (an->ttl[1] << 16)
 + (an->ttl[2] << 8) + (an->ttl[3]);
+if (class != 1) {
+ngx_log_error(r->log_level, r->log, 0,
+"unexpected RR class %ui", class);
+goto failed;
+}
 if (ttl < 0) {
 ttl = 0;
 }
+i += sizeof(ngx_resolver_an_t);
 switch (type) {
 case NGX_RESOLVE_A:
-i += sizeof(ngx_resolver_an_t);
+if (len != 4) {
+err = "invalid A record in DNS response";
-if (i + len > last) {
+goto invalid;
+}
+if (i + 4 > last) {
 goto short_response;
 }
 addr = htonl((buf[i] << 24) + (buf[i + 1] << 16)
 + (buf[i + 2] << 8) + (buf[i + 3]));
 naddrs++;
-i += len;
 break;
 case NGX_RESOLVE_CNAME:
-cname = &buf[i] + sizeof(ngx_resolver_an_t);
+cname = &buf[i];
-i += sizeof(ngx_resolver_an_t) + len;
 break;
 case NGX_RESOLVE_DNAME:
-i += sizeof(ngx_resolver_an_t) + len;
 break;
 default:
 ngx_log_error(r->log_level, r->log, 0,
 "unexpected RR type %ui", type);
 }
+i += len;
 }
 ngx_log_debug3(NGX_LOG_DEBUG_CORE, r->log, 0,
 "resolver naddrs:%ui cname:%p ttl:%d",
 naddrs, cname, ttl);
 } else {
 addrs = ngx_resolver_alloc(r, naddrs * sizeof(in_addr_t));
 if (addrs == NULL) {
-return;
+goto failed;
 }
 n = 0;
 i = ans;
 rn->u.addrs = addrs;
 addrs = ngx_resolver_dup(r, rn->u.addrs,
 naddrs * sizeof(in_addr_t));
 if (addrs == NULL) {
-return;
+goto failed;
 }
 }
 rn->naddrs = (u_short) naddrs;
 if (cname) {
 /* CNAME only */
 if (ngx_resolver_copy(r, &name, buf, cname, buf + last) != NGX_OK) {
-return;
+goto failed;
 }
 ngx_log_debug1(NGX_LOG_DEBUG_CORE, r->log, 0,
 "resolver cname:\"%V\"", &name);
 (void) ngx_resolve_name_locked(r, ctx);
 }
 ngx_resolver_free(r, rn->query);
 rn->query = NULL;
+/* unlock name mutex */
 return;
 }
 ngx_log_error(r->log_level, r->log, 0,
 return;
 failed:
 /* unlock name mutex */
-ngx_resolver_free(r, name.data);
 return;
 }

Mercurial > hg > nginx

comparison src/core/ngx_resolver.c @ 5471:9c96782d9d05