From: Vsevolod Stakhov <vsevolod@rambler-co.ru>
Date: Tue, 13 Jul 2010 13:36:01 +0000 (+0400)
Subject: * Fix lua DNS code
X-Git-Tag: 0.3.1~48
X-Git-Url: https://source.dussan.org/?a=commitdiff_plain;h=97f8fe9a94ac2d4a7fcc2f516421053bf0c9a4e4;p=rspamd.git

* Fix lua DNS code
* Decompress labels in DNS packets more strictly
---

diff --git a/src/dns.c b/src/dns.c
index 58ca9ffe2..21aaebc6b 100644
--- a/src/dns.c
+++ b/src/dns.c
@@ -565,11 +565,14 @@ dns_fin_cb (gpointer arg)
 }
 
 static guint8 *
-decompress_label (guint8 *begin, guint16 *len)
+decompress_label (guint8 *begin, guint16 *len, guint16 max)
 {
 	guint16 offset;
 	offset = ntohs ((*len) ^ DNS_COMPRESSION_BITS);
 
+	if (offset > max) {
+		return NULL;
+	}
 	*len = *(begin + offset);
 	return begin + offset;
 }
@@ -603,7 +606,11 @@ dns_request_reply_cmp (struct rspamd_dns_request *req, guint8 *in, int len)
 		/* This may be compressed, so we need to decompress it */
 		if (len1 & DNS_COMPRESSION_BITS) {
 			memcpy (&len1, p, sizeof (guint16));
-			l1 = decompress_label (in, &len1);
+			l1 = decompress_label (in, &len1, len);
+			if (l1 == NULL) {
+				msg_info ("invalid DNS pointer");
+				return NULL;
+			}
 			decompressed ++;
 			l1 ++;
 			p += 2;
@@ -614,7 +621,11 @@ dns_request_reply_cmp (struct rspamd_dns_request *req, guint8 *in, int len)
 		}
 		if (len2 & DNS_COMPRESSION_BITS) {
 			memcpy (&len2, p, sizeof (guint16));
-			l2 = decompress_label (req->packet, &len2);
+			l2 = decompress_label (req->packet, &len2, len);
+			if (l2 == NULL) {
+				msg_info ("invalid DNS pointer");
+				return NULL;
+			}
 			decompressed ++;
 			l2 ++;
 			c += 2;
@@ -671,7 +682,11 @@ dns_parse_labels (guint8 *in, char **target, guint8 **pos, struct rspamd_dns_rep
 		else if (llen & DNS_COMPRESSION_BITS) {
 			ptrs ++;
 			memcpy (&llen, p, sizeof (guint16));
-			l = decompress_label (in, &llen);
+			l = decompress_label (in, &llen, length + (*pos - in));
+			if (l == NULL) {
+				msg_info ("invalid DNS pointer");
+				return FALSE;
+			}
 			if (offset < 0) {
 				offset = p - begin + 2;
 			}
@@ -705,7 +720,7 @@ dns_parse_labels (guint8 *in, char **target, guint8 **pos, struct rspamd_dns_rep
 		}
 		else if (llen & DNS_COMPRESSION_BITS) {
 			memcpy (&llen, p, sizeof (guint16));
-			l = decompress_label (in, &llen);
+			l = decompress_label (in, &llen, length + (*pos - in));
 			begin = p;
 			p = l + *l + 1;
 			namelen += *p;
diff --git a/src/lua/lua_task.c b/src/lua/lua_task.c
index a8258cb2a..71a36aba1 100644
--- a/src/lua/lua_task.c
+++ b/src/lua/lua_task.c
@@ -267,6 +267,7 @@ lua_dns_callback (struct rspamd_dns_reply *reply, gpointer arg)
 				/* Actually this copy memory, so using of inet_ntoa is valid */
 				lua_pushstring (cd->L, inet_ntoa (ina));
 				lua_rawseti (cd->L, -2, ++i);
+				cur = g_list_next (cur);
 			}
 			lua_pushnil (cd->L);
 		}
@@ -277,6 +278,7 @@ lua_dns_callback (struct rspamd_dns_reply *reply, gpointer arg)
 				elt = cur->data;
 				lua_pushstring (cd->L, elt->ptr.name);
 				lua_rawseti (cd->L, -2, ++i);
+				cur = g_list_next (cur);
 			}
 			lua_pushnil (cd->L);
 
@@ -288,6 +290,7 @@ lua_dns_callback (struct rspamd_dns_reply *reply, gpointer arg)
 				elt = cur->data;
 				lua_pushstring (cd->L, elt->txt.data);
 				lua_rawseti (cd->L, -2, ++i);
+				cur = g_list_next (cur);
 			}
 			lua_pushnil (cd->L);