int dns_packet_read_name(DnsPacket *p, char **_ret,
bool allow_compression, size_t *start) {
- size_t saved_rindex, after_rindex = 0;
+ size_t saved_rindex, after_rindex = 0, jump_barrier;
_cleanup_free_ char *ret = NULL;
size_t n = 0, allocated = 0;
bool first = true;
assert(_ret);
saved_rindex = p->rindex;
+ jump_barrier = p->rindex;
for (;;) {
uint8_t c, d;
goto fail;
ptr = (uint16_t) (c & ~0xc0) << 8 | (uint16_t) d;
- if (ptr < DNS_PACKET_HEADER_SIZE || ptr >= saved_rindex) {
+ if (ptr < DNS_PACKET_HEADER_SIZE || ptr >= jump_barrier) {
r = -EBADMSG;
goto fail;
}
if (after_rindex == 0)
after_rindex = p->rindex;
+ /* Jumps are limited to a "prior occurence" (RFC-1035 4.1.4) */
+ jump_barrier = ptr;
p->rindex = ptr;
- } else
+ } else {
+ r = -EBADMSG;
goto fail;
+ }
}
if (!GREEDY_REALLOC(ret, allocated, n + 1)) {
case DNS_TYPE_TXT: {
char *s;
+ /* RFC 1035 says that TXT must be at least one
+ string. Reject empty records. */
+ if (!rdlength) {
+ r = -EBADMSG;
+ goto fail;
+ }
+
while (p->rindex < offset + rdlength) {
r = dns_packet_read_string(p, &s, NULL);
if (r < 0)