From 077a890a76fff4f071776184aed881b5f314c98a Mon Sep 17 00:00:00 2001 From: Maxim Dounin Date: Tue, 25 May 2021 15:17:38 +0300 Subject: [PATCH] Resolver: fixed off-by-one read in ngx_resolver_copy(). It is believed to be harmless, and in the worst case it uses some uninitialized memory as a part of the compression pointer length, eventually leading to the "name is out of DNS response" error. --- src/core/ngx_resolver.c | 5 +++++ 1 file changed, 5 insertions(+) diff --git a/src/core/ngx_resolver.c b/src/core/ngx_resolver.c index 63b26193d..9b1317234 100644 --- a/src/core/ngx_resolver.c +++ b/src/core/ngx_resolver.c @@ -3958,6 +3958,11 @@ ngx_resolver_copy(ngx_resolver_t *r, ngx_str_t *name, u_char *buf, u_char *src, } if (n & 0xc0) { + if (p >= last) { + err = "name is out of DNS response"; + goto invalid; + } + n = ((n & 0x3f) << 8) + *p; p = &buf[n];