cuberite/libevent
1
0
Fork 0
mirror of https://github.com/cuberite/libevent.git synced 2025-09-08 20:07:56 -04:00
Code Issues Packages Projects Releases Wiki Activity

fix ddos in dns parsing due to infinite loop;

Browse Source 
patch from Nick Mathewson; also received
notification from Jon Oberheide.


svn:r311
This commit is contained in:
Niels Provos 2007-01-21 17:28:55 +00:00
parent d5d04949e3
commit b04043ae51
1 changed files with 5 additions and 0 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

5
evdns.c
View File

@ -641,6 +641,7 @@ static inline int
name_parse(u8 *packet, int length, int *idx, char *name_out, int name_out_len) {
int name_end = -1;
int j = *idx;
int ptr_count = 0;
#define GET32(x) do { if (j + 4 > length) return -1; memcpy(&_t32, packet + j, 4); j += 4; x = ntohl(_t32); } while(0);
#define GET16(x) do { if (j + 2 > length) return -1; memcpy(&_t, packet + j, 2); j += 2; x = ntohs(_t); } while(0);
#define GET8(x) do { if (j >= length) return -1; x = packet[j++]; } while(0);
@ -664,7 +665,11 @@ name_parse(u8 *packet, int length, int *idx, char *name_out, int name_out_len) {
GET8(ptr_low);
if (name_end < 0) name_end = j;
j = (((int)label_len & 0x3f) << 8) + ptr_low;
/* Make sure that the target offset is in-bounds. */
if (j < 0 || j >= length) return -1;
/* If we've jumped more times than there are characters in the
* message, we must have a loop. */
if (++ptr_count > length) return -1;
continue;
}
if (label_len > 63) return -1;