2118. [bug] Handle response with long chains of domain name

                        compression pointers which point to other compression
                        pointers. [RT #16427]

diff --git a/CHANGES b/CHANGES
index ea8ebb2c55cf9b216b2541e6f1d85b5b4dea6dff..c2e7313186d8d72d9a62954a377d077a41ceb63d 100644 (file)
--- a/CHANGES
+++ b/CHANGES
@@ -1,3 +1,7 @@
+2118.  [bug]           Handle response with long chains of domain name
+                       compression pointers which point to other compression
+                       pointers. [RT #16427]
+
 2116.  [bug]           'rndc reload' could cause the cache to continually
                        be cleaned. [RT #16401]
 

diff --git a/lib/dns/name.c b/lib/dns/name.c
index 99694492955d51fb95ea8be876f1c6bcd521d6d4..2f868fb3d5e3c205f3cd8ca27c1b52d56059a9b7 100644 (file)
--- a/lib/dns/name.c
+++ b/lib/dns/name.c
@@ -15,7 +15,7 @@
  * PERFORMANCE OF THIS SOFTWARE.
  */
 
-/* $Id: name.c,v 1.127.2.14 2006/03/02 00:37:17 marka Exp $ */
+/* $Id: name.c,v 1.127.2.15 2006/12/07 07:02:47 marka Exp $ */
 
 #include <config.h>
 
@@ -2347,17 +2347,19 @@ dns_name_fromwire(dns_name_t *name, isc_buffer_t *source,
 {
        unsigned char *cdata, *ndata;
        unsigned int cused; /* Bytes of compressed name data used */
-       unsigned int hops,  nused, labels, n, nmax;
+       unsigned int nused, labels, n, nmax;
        unsigned int current, new_current, biggest_pointer;
        isc_boolean_t saw_bitstring, done;
        fw_state state = fw_start;
        unsigned int c;
        unsigned char *offsets;
        dns_offsets_t odata;
+       isc_boolean_t seen_pointer;
 
        /*
         * Copy the possibly-compressed name at source into target,
-        * decompressing it.
+        * decompressing it. Loop prevention is performed by checking
+        * the new pointer against biggest_pointer.
         */
 
        REQUIRE(VALID_NAME(name));
@@ -2389,12 +2391,12 @@ dns_name_fromwire(dns_name_t *name, isc_buffer_t *source,
         * Set up.
         */
        labels = 0;
-       hops = 0;
        saw_bitstring = ISC_FALSE;
        done = ISC_FALSE;
 
        ndata = isc_buffer_used(target);
        nused = 0;
+       seen_pointer = ISC_FALSE;
 
        /*
         * Find the maximum number of uncompressed target name
@@ -2420,7 +2422,7 @@ dns_name_fromwire(dns_name_t *name, isc_buffer_t *source,
        while (current < source->active && !done) {
                c = *cdata++;
                current++;
-               if (hops == 0)
+               if (!seen_pointer)
                        cused++;
 
                switch (state) {
@@ -2498,11 +2500,8 @@ dns_name_fromwire(dns_name_t *name, isc_buffer_t *source,
                                return (DNS_R_BADPOINTER);
                        biggest_pointer = new_current;
                        current = new_current;
-                       cdata = (unsigned char *)source->base +
-                               current;
-                       hops++;
-                       if (hops > DNS_POINTER_MAXHOPS)
-                               return (DNS_R_TOOMANYHOPS);
+                       cdata = (unsigned char *)source->base + current;
+                       seen_pointer = ISC_TRUE;
                        state = fw_start;
                        break;
                default:
@@ -2541,7 +2540,6 @@ dns_name_fromwire(dns_name_t *name, isc_buffer_t *source,
                 * big enough buffer.
                 */
                return (ISC_R_NOSPACE);
-
 }
 
 isc_result_t