From 7ba7a232de0516d2cce934bdc91627b33b46ef47 Mon Sep 17 00:00:00 2001
From: Ian Jackson <ijackson@chiark.greenend.org.uk>
Date: Thu, 1 Dec 2016 01:42:56 +0000
Subject: [PATCH] SECURITY: Do not hang, eating CPU, if we encounter a
 compression pointer loop

Found by AFL 2.35b.  CVE-2017-9104.

Signed-off-by: Ian Jackson <ijackson@chiark.greenend.org.uk>
---
 src/parse.c | 7 +++++++
 1 file changed, 7 insertions(+)

diff --git a/src/parse.c b/src/parse.c
index 07d0614..790c8ce 100644
--- a/src/parse.c
+++ b/src/parse.c
@@ -71,6 +71,7 @@ adns_status adns__findlabel_next(findlabel_state *fls,
 				 int *lablen_r, int *labstart_r) {
   int lablen, jumpto;
   const char *dgram;
+  int had_pointer= 0;
 
   dgram= fls->dgram;
   for (;;) {
@@ -81,6 +82,7 @@ adns_status adns__findlabel_next(findlabel_state *fls,
     if ((lablen & 0x0c0) != 0x0c0) return adns_s_unknownformat;
     if (fls->cbyte >= fls->dglen) goto x_truncated;
     if (fls->cbyte >= fls->max) goto x_badresponse;
+    if (had_pointer++ >= 2) goto x_loop;
     GET_B(fls->cbyte,jumpto);
     jumpto |= (lablen&0x3f)<<8;
     if (fls->dmend_r) *(fls->dmend_r)= fls->cbyte;
@@ -109,6 +111,11 @@ adns_status adns__findlabel_next(findlabel_state *fls,
   adns__diag(fls->ads,fls->serv,fls->qu,
 	     "label in domain runs beyond end of domain");
   return adns_s_invalidresponse;
+
+ x_loop: 
+  adns__diag(fls->ads,fls->serv,fls->qu,
+	     "compressed label pointer chain");
+  return adns_s_invalidresponse;
 }
 
 adns_status adns__parse_domain(adns_state ads, int serv, adns_query qu,
-- 
2.30.2