[nginx] Resolver: fixes in PTR processing.

Ruslan Ermilov ru at nginx.com
Fri Dec 13 16:54:42 UTC 2013


details:   http://hg.nginx.org/nginx/rev/ab493c60d9ff
branches:  
changeset: 5472:ab493c60d9ff
user:      Ruslan Ermilov <ru at nginx.com>
date:      Fri Dec 06 14:30:27 2013 +0400
description:
Resolver: fixes in PTR processing.

Verify that class of RR is "IN".
Verify that RR data length is non-zero.

diffstat:

 src/core/ngx_resolver.c |  17 ++++++++++++-----
 1 files changed, 12 insertions(+), 5 deletions(-)

diffs (66 lines):

diff -r 9c96782d9d05 -r ab493c60d9ff src/core/ngx_resolver.c
--- a/src/core/ngx_resolver.c	Fri Dec 06 14:30:27 2013 +0400
+++ b/src/core/ngx_resolver.c	Fri Dec 06 14:30:27 2013 +0400
@@ -1517,7 +1517,7 @@ ngx_resolver_process_ptr(ngx_resolver_t 
     int32_t               ttl;
     ngx_int_t             octet;
     ngx_str_t             name;
-    ngx_uint_t            i, mask, qident;
+    ngx_uint_t            i, mask, qident, class;
     ngx_resolver_an_t    *an;
     ngx_resolver_ctx_t   *ctx, *next;
     ngx_resolver_node_t  *rn;
@@ -1526,7 +1526,7 @@ ngx_resolver_process_ptr(ngx_resolver_t 
                           buf + sizeof(ngx_resolver_hdr_t), buf + n)
         != NGX_OK)
     {
-        goto invalid_in_addr_arpa;
+        return;
     }
 
     addr = 0;
@@ -1599,7 +1599,7 @@ ngx_resolver_process_ptr(ngx_resolver_t 
 
     i += sizeof("\7in-addr\4arpa") + sizeof(ngx_resolver_qs_t);
 
-    if (i + 2 + sizeof(ngx_resolver_an_t) > n) {
+    if (i + 2 + sizeof(ngx_resolver_an_t) >= n) {
         goto short_response;
     }
 
@@ -1612,10 +1612,17 @@ ngx_resolver_process_ptr(ngx_resolver_t 
 
     an = (ngx_resolver_an_t *) &buf[i + 2];
 
+    class = (an->class_hi << 8) + an->class_lo;
     len = (an->len_hi << 8) + an->len_lo;
     ttl = (an->ttl[0] << 24) + (an->ttl[1] << 16)
         + (an->ttl[2] << 8) + (an->ttl[3]);
 
+    if (class != 1) {
+        ngx_log_error(r->log_level, r->log, 0,
+                      "unexpected RR class %ui", class);
+        goto failed;
+    }
+
     if (ttl < 0) {
         ttl = 0;
     }
@@ -1623,7 +1630,7 @@ ngx_resolver_process_ptr(ngx_resolver_t 
     ngx_log_debug3(NGX_LOG_DEBUG_CORE, r->log, 0,
                   "resolver qt:%ui cl:%ui len:%uz",
                   (an->type_hi << 8) + an->type_lo,
-                  (an->class_hi << 8) + an->class_lo, len);
+                  class, len);
 
     i += 2 + sizeof(ngx_resolver_an_t);
 
@@ -1632,7 +1639,7 @@ ngx_resolver_process_ptr(ngx_resolver_t 
     }
 
     if (ngx_resolver_copy(r, &name, buf, buf + i, buf + n) != NGX_OK) {
-        return;
+        goto failed;
     }
 
     ngx_log_debug1(NGX_LOG_DEBUG_CORE, r->log, 0, "resolver an:%V", &name);



More information about the nginx-devel mailing list