mirror of
https://github.com/nginx/nginx.git
synced 2024-12-23 15:40:03 -06:00
Resolver: fixed off-by-one read in ngx_resolver_copy().
It is believed to be harmless, and in the worst case it uses some uninitialized memory as a part of the compression pointer length, eventually leading to the "name is out of DNS response" error.
This commit is contained in:
parent
9f1dcb0c04
commit
077a890a76
@ -3958,6 +3958,11 @@ ngx_resolver_copy(ngx_resolver_t *r, ngx_str_t *name, u_char *buf, u_char *src,
|
||||
}
|
||||
|
||||
if (n & 0xc0) {
|
||||
if (p >= last) {
|
||||
err = "name is out of DNS response";
|
||||
goto invalid;
|
||||
}
|
||||
|
||||
n = ((n & 0x3f) << 8) + *p;
|
||||
p = &buf[n];
|
||||
|
||||
|
Loading…
Reference in New Issue
Block a user