mirror/nginx
1
0
Fork 0
mirror of https://github.com/nginx/nginx.git synced 2024-11-27 23:49:00 +08:00
Code Issues Actions 1 Packages Projects Releases Wiki Activity

Resolver: fixed off-by-one read in ngx_resolver_copy().

Browse Source 
It is believed to be harmless, and in the worst case it uses some
uninitialized memory as a part of the compression pointer length,
eventually leading to the "name is out of DNS response" error.
This commit is contained in:
Maxim Dounin 2021-05-25 15:17:38 +03:00
parent 7199ebc203
commit dbd4dfd19f
1 changed files with 5 additions and 0 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

5
src/core/ngx_resolver.c
View File

@ -3958,6 +3958,11 @@ ngx_resolver_copy(ngx_resolver_t *r, ngx_str_t *name, u_char *buf, u_char *src,
}
if (n & 0xc0) {
if (p >= last) {
err = "name is out of DNS response";
goto invalid;
}
n = ((n & 0x3f) << 8) + *p;
p = &buf[n];