Overview

File bsc1185391.2_CVE-2019-25040.1_2d444a50.patch of Package unbound.32015

From 2d444a5037acff6024630b88092d9188f2f5d8fe Mon Sep 17 00:00:00 2001
From: "W.C.A. Wijngaards" <wouter@nlnetlabs.nl>
Date: Tue, 3 Dec 2019 16:17:03 +0100
Subject: [PATCH] - Fix Insufficient Handling of Compressed Names in
 dname_pkt_copy(),   reported by X41 D-Sec.

---
 util/data/dname.c |   12 +++++++++---
 1 file changed, 9 insertions(+), 3 deletions(-)

--- util/data/dname.c
+++ util/data/dname.c	2022-01-17 12:49:55.864016093 +0000
@@ -339,15 +339,21 @@ dname_pkt_hash(sldns_buffer* pkt, uint8_
 void dname_pkt_copy(sldns_buffer* pkt, uint8_t* to, uint8_t* dname)
 {
 	/* copy over the dname and decompress it at the same time */
+	size_t comprcount = 0;
 	size_t len = 0;
 	uint8_t lablen;
 	lablen = *dname++;
 	while(lablen) {
 		if(LABEL_IS_PTR(lablen)) {
+			if(comprcount++ > MAX_COMPRESS_PTRS) {
+				/* too many compression pointers */
+				*to = 0; /* end the result prematurely */
+				return;
+			}
 			/* follow pointer */
-		if((size_t)PTR_OFFSET(lablen, *dname)
-			>= sldns_buffer_limit(pkt))
-			return;
+			if((size_t)PTR_OFFSET(lablen, *dname)
+				>= sldns_buffer_limit(pkt))
+				return;
 			dname = sldns_buffer_at(pkt, PTR_OFFSET(lablen, *dname));
 			lablen = *dname++;
 			continue;
openSUSE Build Service is sponsored by
Places