SECURITY: Do not hang, eating CPU, if we encounter a compression pointer loop

Found by AFL 2.35b.  CVE-2017-9104.

Signed-off-by: Ian Jackson <ijackson@chiark.greenend.org.uk>

diff --git a/src/parse.c b/src/parse.c
index 07d0614afcbf6d002849e99c1940bbda64a3cd06..790c8ce51b3da32f1f3282d27123d4391022c481 100644 (file)
--- a/src/parse.c
+++ b/src/parse.c
@@ -71,6 +71,7 @@ adns_status adns__findlabel_next(findlabel_state *fls,
                                 int *lablen_r, int *labstart_r) {
   int lablen, jumpto;
   const char *dgram;
+  int had_pointer= 0;
 
   dgram= fls->dgram;
   for (;;) {
@@ -81,6 +82,7 @@ adns_status adns__findlabel_next(findlabel_state *fls,
     if ((lablen & 0x0c0) != 0x0c0) return adns_s_unknownformat;
     if (fls->cbyte >= fls->dglen) goto x_truncated;
     if (fls->cbyte >= fls->max) goto x_badresponse;
+    if (had_pointer++ >= 2) goto x_loop;
     GET_B(fls->cbyte,jumpto);
     jumpto |= (lablen&0x3f)<<8;
     if (fls->dmend_r) *(fls->dmend_r)= fls->cbyte;
@@ -109,6 +111,11 @@ adns_status adns__findlabel_next(findlabel_state *fls,
   adns__diag(fls->ads,fls->serv,fls->qu,
             "label in domain runs beyond end of domain");
   return adns_s_invalidresponse;
+
+ x_loop: 
+  adns__diag(fls->ads,fls->serv,fls->qu,
+            "compressed label pointer chain");
+  return adns_s_invalidresponse;
 }
 
 adns_status adns__parse_domain(adns_state ads, int serv, adns_query qu,