From c29b0e0a96c4d281aef40d69a11c564d6ed1a2c6 Mon Sep 17 00:00:00 2001
From: "W.C.A. Wijngaards" <wouter@nlnetlabs.nl>
Date: Thu, 3 Feb 2022 09:03:09 +0100
Subject: [PATCH] - Fix for #611: Integer overflow in sldns_wire2str_pkt_scan.

---
 doc/Changelog    |  3 +++
 sldns/wire2str.c | 11 +++++++++++
 2 files changed, 14 insertions(+)

diff --git a/doc/Changelog b/doc/Changelog
index e16be03f3..8af7d3f88 100644
--- a/doc/Changelog
+++ b/doc/Changelog
@@ -1,3 +1,6 @@
+3 February 2022: Wouter
+	- Fix for #611: Integer overflow in sldns_wire2str_pkt_scan.
+
 2 February 2022: George
 	- Merge PR #532 from Shchelk: Fix: buffer overflow bug.
 	- Merge PR #616: Update ratelimit logic. It also introduces
diff --git a/sldns/wire2str.c b/sldns/wire2str.c
index 6a177ec0b..b70efe299 100644
--- a/sldns/wire2str.c
+++ b/sldns/wire2str.c
@@ -817,6 +817,7 @@ int sldns_wire2str_dname_scan(uint8_t** d, size_t* dlen, char** s, size_t* slen,
 	unsigned i, counter=0;
 	unsigned maxcompr = MAX_COMPRESS_PTRS; /* loop detection, max compr ptrs */
 	int in_buf = 1;
+	size_t dname_len = 0;
 	if(comprloop) {
 		if(*comprloop != 0)
 			maxcompr = 30; /* for like ipv6 reverse name, per label */
@@ -872,6 +873,16 @@ int sldns_wire2str_dname_scan(uint8_t** d, size_t* dlen, char** s, size_t* slen,
 			labellen = (uint8_t)*dlen;
 		else if(!in_buf && pos+(size_t)labellen > pkt+pktlen)
 			labellen = (uint8_t)(pkt + pktlen - pos);
+		dname_len += ((size_t)labellen)+1;
+		if(dname_len > LDNS_MAX_DOMAINLEN) {
+			/* dname_len counts the uncompressed length we have
+			 * seen so far, and the domain name has become too
+			 * long, prevent the loop from printing overly long
+			 * content. */
+			w += sldns_str_print(s, slen,
+				"ErrorDomainNameTooLong");
+			return w;
+		}
 		for(i=0; i<(unsigned)labellen; i++) {
 			w += dname_char_print(s, slen, *pos++);
 		}
-- 
2.47.3