Date: Fri, 10 Aug 2007 15:37:29 GMT From: Fredrik Lindberg <fli@FreeBSD.org> To: Perforce Change Reviews <perforce@FreeBSD.org> Subject: PERFORCE change 125018 for review Message-ID: <200708101537.l7AFbTdF043336@repoman.freebsd.org>
next in thread | raw e-mail | index | archive | help
http://perforce.freebsd.org/chv.cgi?CH=125018 Change 125018 by fli@fli_nexus on 2007/08/10 15:37:24 Limit number of "pointer jumps" in the name decompresstion code to 128 which is the maximum number of jumps any valid name could have. Affected files ... .. //depot/projects/soc2007/fli-mdns_sd/mdnsd/stack_packet.c#10 edit Differences ... ==== //depot/projects/soc2007/fli-mdns_sd/mdnsd/stack_packet.c#10 (text+ko) ==== @@ -307,18 +307,11 @@ } /* - * Expand/translate a series of labels into a human - * readable domain name, it also expands domain name compression. - * - * name - Pointer to start of name (inside buf) - * dst - Destination buffer (where to store the expanded name) - * dstlen - Size of destination buffer (MDNS_RECORD_LEN) - * buf - Packet buffer - * pkglen - Packet length + * Real decompression routine */ static int -name_decompress(char *name, char *dst, size_t dstlen, char *buf, - size_t pkglen) +decompress(char *name, char *dst, size_t dstlen, char *buf, + size_t pkglen, int ptrjmp) { char *p, *q, val; uint16_t offset; @@ -333,8 +326,10 @@ offset = ntohs(MDNS_READ2(p)) & ~0xc000; if (offset > pkglen || (buf + offset) == name) return (-1); - return (name_decompress(buf + offset, q, dstlen - i, - buf, pkglen)); + else if (++ptrjmp > 128) + return (-1); + return (decompress(buf + offset, q, dstlen - i, + buf, pkglen, ptrjmp)); } val = *p & 0x3f; if ((p + val + 1) > (buf + pkglen)) @@ -351,6 +346,25 @@ } /* + * Expand/translate a series of labels into a human + * readable domain name, it also expands domain name compression. + * + * name - Pointer to start of name (inside buf) + * dst - Destination buffer (where to store the expanded name) + * dstlen - Size of destination buffer (MDNS_RECORD_LEN) + * buf - Packet buffer + * pkglen - Packet length + */ +static int +name_decompress(char *name, char *dst, size_t dstlen, char *buf, + size_t pkglen) +{ + int ptrjmp = 0; + + return (decompress(name, dst, dstlen, buf, pkglen, ptrjmp)); +} + +/* * Some resource types requires special attention as their resource data * contains names that might have been name compressed. */
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?200708101537.l7AFbTdF043336>