[nginx] Resolver: fixed off-by-one read in ngx_resolver_copy().
Maxim Dounin
mdounin at mdounin.ru
Tue May 25 15:34:13 UTC 2021
details: https://hg.nginx.org/nginx/rev/5d561a77502e
branches: stable-1.20
changeset: 7859:5d561a77502e
user: Maxim Dounin <mdounin at mdounin.ru>
date: Tue May 25 15:17:38 2021 +0300
description:
Resolver: fixed off-by-one read in ngx_resolver_copy().
It is believed to be harmless, and in the worst case it uses some
uninitialized memory as a part of the compression pointer length,
eventually leading to the "name is out of DNS response" error.
diffstat:
src/core/ngx_resolver.c | 5 +++++
1 files changed, 5 insertions(+), 0 deletions(-)
diffs (15 lines):
diff -r 7f702d35ac38 -r 5d561a77502e src/core/ngx_resolver.c
--- a/src/core/ngx_resolver.c Tue May 25 15:17:36 2021 +0300
+++ b/src/core/ngx_resolver.c Tue May 25 15:17:38 2021 +0300
@@ -3958,6 +3958,11 @@ ngx_resolver_copy(ngx_resolver_t *r, ngx
}
if (n & 0xc0) {
+ if (p >= last) {
+ err = "name is out of DNS response";
+ goto invalid;
+ }
+
n = ((n & 0x3f) << 8) + *p;
p = &buf[n];
More information about the nginx-devel
mailing list