ref: ad3ba8838d82267cbafa5d293b86e2eef41fa9c5
parent: b77eda8fc739976e6894186f9610f2c955a2fe01
author: cinap_lenrek <cinap_lenrek@felloff.net>
date: Thu Nov 28 18:47:49 EST 2013
ndb/dns: check bad name length in convM2DNS.c:^gname()
--- a/sys/src/cmd/ndb/convM2DNS.c
+++ b/sys/src/cmd/ndb/convM2DNS.c
@@ -226,7 +226,7 @@
goto err;
pointer = 0;
p = sp->p;
- if (p == nil) {+ if(p == nil) { dnslog("gname: %R: nil sp->p", rp);goto err;
}
@@ -233,10 +233,14 @@
toend = to + Domlen;
for(len = 0; *p && p < sp->ep; len += (pointer? 0: n+1)) {n = 0;
- switch (*p & 0300) {+ switch(*p & 0300) {case 0: /* normal label */
- if (p < sp->ep)
+ if(p < sp->ep)
n = *p++ & 077; /* pick up length */
+ if(sp->ep - p <= n){+ sp->err = "bad name length";
+ goto err;
+ }
if(len + n < Domlen - 1){ if(n > toend - to){errtoolong(rp, sp, toend - to, n,
--
⑨