Resolver: fixed off-by-one read in ngx_resolver_copy().

It is believed to be harmless, and in the worst case it uses some uninitialized memory as a part of the compression pointer length, eventually leading to the "name is out of DNS response" error.
author: Maxim Dounin <mdounin@mdounin.ru> 2021-05-25 15:17:38 +0300
committer: Maxim Dounin <mdounin@mdounin.ru> 2021-05-25 15:17:38 +0300
commit: 077a890a76fff4f071776184aed881b5f314c98a (patch)
tree: d04138f8f25efa1e5cf7ad6bf9e47f5c15e8e9a0
parent: 9f1dcb0c0473641730b871dee984016ff19d2c53 (diff)
download: nginx-077a890a76fff4f071776184aed881b5f314c98a.tar.gz
nginx-077a890a76fff4f071776184aed881b5f314c98a.zip
1 files changed, 5 insertions, 0 deletions
diff --git a/src/core/ngx_resolver.c b/src/core/ngx_resolver.c
index 63b26193d..9b1317234 100644
--- a/src/core/ngx_resolver.c
+++ b/src/core/ngx_resolver.c
@@ -3958,6 +3958,11 @@ ngx_resolver_copy(ngx_resolver_t *r, ngx_str_t *name, u_char *buf, u_char *src,
         }
 
         if (n & 0xc0) {
+            if (p >= last) {
+                err = "name is out of DNS response";
+                goto invalid;
+            }
+
             n = ((n & 0x3f) << 8) + *p;
             p = &buf[n];
author	Maxim Dounin <mdounin@mdounin.ru>	2021-05-25 15:17:38 +0300
committer	Maxim Dounin <mdounin@mdounin.ru>	2021-05-25 15:17:38 +0300
commit	077a890a76fff4f071776184aed881b5f314c98a (patch)
tree	d04138f8f25efa1e5cf7ad6bf9e47f5c15e8e9a0
parent	9f1dcb0c0473641730b871dee984016ff19d2c53 (diff)
download	nginx-077a890a76fff4f071776184aed881b5f314c98a.tar.gz nginx-077a890a76fff4f071776184aed881b5f314c98a.zip