From owner-p4-projects@FreeBSD.ORG Fri Aug 10 15:37:30 2007 Return-Path: Delivered-To: p4-projects@freebsd.org Received: by hub.freebsd.org (Postfix, from userid 32767) id E06B416A494; Fri, 10 Aug 2007 15:37:29 +0000 (UTC) Delivered-To: perforce@FreeBSD.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34]) by hub.freebsd.org (Postfix) with ESMTP id BBBE816A480 for ; Fri, 10 Aug 2007 15:37:29 +0000 (UTC) (envelope-from fli@FreeBSD.org) Received: from repoman.freebsd.org (repoman.freebsd.org [IPv6:2001:4f8:fff6::29]) by mx1.freebsd.org (Postfix) with ESMTP id A8EDA13C48A for ; Fri, 10 Aug 2007 15:37:29 +0000 (UTC) (envelope-from fli@FreeBSD.org) Received: from repoman.freebsd.org (localhost [127.0.0.1]) by repoman.freebsd.org (8.14.1/8.14.1) with ESMTP id l7AFbTCe043340 for ; Fri, 10 Aug 2007 15:37:29 GMT (envelope-from fli@FreeBSD.org) Received: (from perforce@localhost) by repoman.freebsd.org (8.14.1/8.14.1/Submit) id l7AFbTdF043336 for perforce@freebsd.org; Fri, 10 Aug 2007 15:37:29 GMT (envelope-from fli@FreeBSD.org) Date: Fri, 10 Aug 2007 15:37:29 GMT Message-Id: <200708101537.l7AFbTdF043336@repoman.freebsd.org> X-Authentication-Warning: repoman.freebsd.org: perforce set sender to fli@FreeBSD.org using -f From: Fredrik Lindberg To: Perforce Change Reviews Cc: Subject: PERFORCE change 125018 for review X-BeenThere: p4-projects@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: p4 projects tree changes List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Fri, 10 Aug 2007 15:37:30 -0000 http://perforce.freebsd.org/chv.cgi?CH=125018 Change 125018 by fli@fli_nexus on 2007/08/10 15:37:24 Limit number of "pointer jumps" in the name decompresstion code to 128 which is the maximum number of jumps any valid name could have. Affected files ... .. //depot/projects/soc2007/fli-mdns_sd/mdnsd/stack_packet.c#10 edit Differences ... ==== //depot/projects/soc2007/fli-mdns_sd/mdnsd/stack_packet.c#10 (text+ko) ==== @@ -307,18 +307,11 @@ } /* - * Expand/translate a series of labels into a human - * readable domain name, it also expands domain name compression. - * - * name - Pointer to start of name (inside buf) - * dst - Destination buffer (where to store the expanded name) - * dstlen - Size of destination buffer (MDNS_RECORD_LEN) - * buf - Packet buffer - * pkglen - Packet length + * Real decompression routine */ static int -name_decompress(char *name, char *dst, size_t dstlen, char *buf, - size_t pkglen) +decompress(char *name, char *dst, size_t dstlen, char *buf, + size_t pkglen, int ptrjmp) { char *p, *q, val; uint16_t offset; @@ -333,8 +326,10 @@ offset = ntohs(MDNS_READ2(p)) & ~0xc000; if (offset > pkglen || (buf + offset) == name) return (-1); - return (name_decompress(buf + offset, q, dstlen - i, - buf, pkglen)); + else if (++ptrjmp > 128) + return (-1); + return (decompress(buf + offset, q, dstlen - i, + buf, pkglen, ptrjmp)); } val = *p & 0x3f; if ((p + val + 1) > (buf + pkglen)) @@ -351,6 +346,25 @@ } /* + * Expand/translate a series of labels into a human + * readable domain name, it also expands domain name compression. + * + * name - Pointer to start of name (inside buf) + * dst - Destination buffer (where to store the expanded name) + * dstlen - Size of destination buffer (MDNS_RECORD_LEN) + * buf - Packet buffer + * pkglen - Packet length + */ +static int +name_decompress(char *name, char *dst, size_t dstlen, char *buf, + size_t pkglen) +{ + int ptrjmp = 0; + + return (decompress(name, dst, dstlen, buf, pkglen, ptrjmp)); +} + +/* * Some resource types requires special attention as their resource data * contains names that might have been name compressed. */