[nginx] Resolver: fixed off-by-one read in ngx_resolver_copy().

Maxim Dounin mdounin at mdounin.ru
Tue May 25 15:33:17 UTC 2021


details:   https://hg.nginx.org/nginx/rev/a093dd4ce154
branches:  
changeset: 7850:a093dd4ce154
user:      Maxim Dounin <mdounin at mdounin.ru>
date:      Tue May 25 15:17:38 2021 +0300
description:
Resolver: fixed off-by-one read in ngx_resolver_copy().

It is believed to be harmless, and in the worst case it uses some
uninitialized memory as a part of the compression pointer length,
eventually leading to the "name is out of DNS response" error.

diffstat:

 src/core/ngx_resolver.c |  5 +++++
 1 files changed, 5 insertions(+), 0 deletions(-)

diffs (15 lines):

diff -r 2fd40ee19c20 -r a093dd4ce154 src/core/ngx_resolver.c
--- a/src/core/ngx_resolver.c	Tue May 25 15:17:36 2021 +0300
+++ b/src/core/ngx_resolver.c	Tue May 25 15:17:38 2021 +0300
@@ -3958,6 +3958,11 @@ ngx_resolver_copy(ngx_resolver_t *r, ngx
         }
 
         if (n & 0xc0) {
+            if (p >= last) {
+                err = "name is out of DNS response";
+                goto invalid;
+            }
+
             n = ((n & 0x3f) << 8) + *p;
             p = &buf[n];
 


More information about the nginx-devel mailing list