File adns-1.5.1-CVE-2017-9104.patch of Package adns.15332
From 7ba7a232de0516d2cce934bdc91627b33b46ef47 Mon Sep 17 00:00:00 2001
From: Ian Jackson <ijackson@chiark.greenend.org.uk>
Date: Thu, 1 Dec 2016 01:42:56 +0000
Subject: [PATCH 03/32] SECURITY: Do not hang, eating CPU, if we encounter a
compression pointer loop
Found by AFL 2.35b. CVE-2017-9104.
Signed-off-by: Ian Jackson <ijackson@chiark.greenend.org.uk>
---
src/parse.c | 7 +++++++
1 file changed, 7 insertions(+)
diff --git a/src/parse.c b/src/parse.c
index 07d0614..790c8ce 100644
--- a/src/parse.c
+++ b/src/parse.c
@@ -71,6 +71,7 @@ adns_status adns__findlabel_next(findlabel_state *fls,
int *lablen_r, int *labstart_r) {
int lablen, jumpto;
const char *dgram;
+ int had_pointer= 0;
dgram= fls->dgram;
for (;;) {
@@ -81,6 +82,7 @@ adns_status adns__findlabel_next(findlabel_state *fls,
if ((lablen & 0x0c0) != 0x0c0) return adns_s_unknownformat;
if (fls->cbyte >= fls->dglen) goto x_truncated;
if (fls->cbyte >= fls->max) goto x_badresponse;
+ if (had_pointer++ >= 2) goto x_loop;
GET_B(fls->cbyte,jumpto);
jumpto |= (lablen&0x3f)<<8;
if (fls->dmend_r) *(fls->dmend_r)= fls->cbyte;
@@ -109,6 +111,11 @@ adns_status adns__findlabel_next(findlabel_state *fls,
adns__diag(fls->ads,fls->serv,fls->qu,
"label in domain runs beyond end of domain");
return adns_s_invalidresponse;
+
+ x_loop:
+ adns__diag(fls->ads,fls->serv,fls->qu,
+ "compressed label pointer chain");
+ return adns_s_invalidresponse;
}
adns_status adns__parse_domain(adns_state ads, int serv, adns_query qu,
--
2.20.1