Mercurial > hg > nginx

changeset 7859:5d561a77502e stable-1.20

Find changesets by keywords (author, files, the commit message), revision number or hash, or revset expression.
Resolver: fixed off-by-one read in ngx_resolver_copy(). It is believed to be harmless, and in the worst case it uses some uninitialized memory as a part of the compression pointer length, eventually leading to the "name is out of DNS response" error.
author Maxim Dounin <mdounin@mdounin.ru>
date Tue, 25 May 2021 15:17:38 +0300
parents 7f702d35ac38
children a45b6a206cfc
files src/core/ngx_resolver.c
diffstat 1 files changed, 5 insertions(+), 0 deletions(-) [+]
line wrap: on
line diff
--- a/src/core/ngx_resolver.c
+++ b/src/core/ngx_resolver.c
@@ -3958,6 +3958,11 @@ ngx_resolver_copy(ngx_resolver_t *r, ngx
         }
 
         if (n & 0xc0) {
+            if (p >= last) {
+                err = "name is out of DNS response";
+                goto invalid;
+            }
+
             n = ((n & 0x3f) << 8) + *p;
             p = &buf[n];