[nginx] Resolver: fixed off-by-one read in ngx_resolver_copy().
Maxim Dounin
mdounin at mdounin.ru
Tue May 25 15:33:17 UTC 2021
details: https://hg.nginx.org/nginx/rev/a093dd4ce154
branches:
changeset: 7850:a093dd4ce154
user: Maxim Dounin <mdounin at mdounin.ru>
date: Tue May 25 15:17:38 2021 +0300
description:
Resolver: fixed off-by-one read in ngx_resolver_copy().
It is believed to be harmless, and in the worst case it uses some
uninitialized memory as a part of the compression pointer length,
eventually leading to the "name is out of DNS response" error.
diffstat:
src/core/ngx_resolver.c | 5 +++++
1 files changed, 5 insertions(+), 0 deletions(-)
diffs (15 lines):
diff -r 2fd40ee19c20 -r a093dd4ce154 src/core/ngx_resolver.c
--- a/src/core/ngx_resolver.c Tue May 25 15:17:36 2021 +0300
+++ b/src/core/ngx_resolver.c Tue May 25 15:17:38 2021 +0300
@@ -3958,6 +3958,11 @@ ngx_resolver_copy(ngx_resolver_t *r, ngx
}
if (n & 0xc0) {
+ if (p >= last) {
+ err = "name is out of DNS response";
+ goto invalid;
+ }
+
n = ((n & 0x3f) << 8) + *p;
p = &buf[n];
More information about the nginx-devel
mailing list