diff options
author | Vsevolod Stakhov <vsevolod@rambler-co.ru> | 2010-07-13 17:36:01 +0400 |
---|---|---|
committer | Vsevolod Stakhov <vsevolod@rambler-co.ru> | 2010-07-13 17:36:01 +0400 |
commit | 97f8fe9a94ac2d4a7fcc2f516421053bf0c9a4e4 (patch) | |
tree | 654b536a1b8fefadfbab8028faebb7dea7e6bb44 | |
parent | a62ddb9677b3a017a7520c5e294c123687f74523 (diff) | |
download | rspamd-97f8fe9a94ac2d4a7fcc2f516421053bf0c9a4e4.tar.gz rspamd-97f8fe9a94ac2d4a7fcc2f516421053bf0c9a4e4.zip |
* Fix lua DNS code
* Decompress labels in DNS packets more strictly
-rw-r--r-- | src/dns.c | 25 | ||||
-rw-r--r-- | src/lua/lua_task.c | 3 |
2 files changed, 23 insertions, 5 deletions
@@ -565,11 +565,14 @@ dns_fin_cb (gpointer arg) } static guint8 * -decompress_label (guint8 *begin, guint16 *len) +decompress_label (guint8 *begin, guint16 *len, guint16 max) { guint16 offset; offset = ntohs ((*len) ^ DNS_COMPRESSION_BITS); + if (offset > max) { + return NULL; + } *len = *(begin + offset); return begin + offset; } @@ -603,7 +606,11 @@ dns_request_reply_cmp (struct rspamd_dns_request *req, guint8 *in, int len) /* This may be compressed, so we need to decompress it */ if (len1 & DNS_COMPRESSION_BITS) { memcpy (&len1, p, sizeof (guint16)); - l1 = decompress_label (in, &len1); + l1 = decompress_label (in, &len1, len); + if (l1 == NULL) { + msg_info ("invalid DNS pointer"); + return NULL; + } decompressed ++; l1 ++; p += 2; @@ -614,7 +621,11 @@ dns_request_reply_cmp (struct rspamd_dns_request *req, guint8 *in, int len) } if (len2 & DNS_COMPRESSION_BITS) { memcpy (&len2, p, sizeof (guint16)); - l2 = decompress_label (req->packet, &len2); + l2 = decompress_label (req->packet, &len2, len); + if (l2 == NULL) { + msg_info ("invalid DNS pointer"); + return NULL; + } decompressed ++; l2 ++; c += 2; @@ -671,7 +682,11 @@ dns_parse_labels (guint8 *in, char **target, guint8 **pos, struct rspamd_dns_rep else if (llen & DNS_COMPRESSION_BITS) { ptrs ++; memcpy (&llen, p, sizeof (guint16)); - l = decompress_label (in, &llen); + l = decompress_label (in, &llen, length + (*pos - in)); + if (l == NULL) { + msg_info ("invalid DNS pointer"); + return FALSE; + } if (offset < 0) { offset = p - begin + 2; } @@ -705,7 +720,7 @@ dns_parse_labels (guint8 *in, char **target, guint8 **pos, struct rspamd_dns_rep } else if (llen & DNS_COMPRESSION_BITS) { memcpy (&llen, p, sizeof (guint16)); - l = decompress_label (in, &llen); + l = decompress_label (in, &llen, length + (*pos - in)); begin = p; p = l + *l + 1; namelen += *p; diff --git a/src/lua/lua_task.c b/src/lua/lua_task.c index a8258cb2a..71a36aba1 100644 --- a/src/lua/lua_task.c +++ b/src/lua/lua_task.c @@ -267,6 +267,7 @@ lua_dns_callback (struct rspamd_dns_reply *reply, gpointer arg) /* Actually this copy memory, so using of inet_ntoa is valid */ lua_pushstring (cd->L, inet_ntoa (ina)); lua_rawseti (cd->L, -2, ++i); + cur = g_list_next (cur); } lua_pushnil (cd->L); } @@ -277,6 +278,7 @@ lua_dns_callback (struct rspamd_dns_reply *reply, gpointer arg) elt = cur->data; lua_pushstring (cd->L, elt->ptr.name); lua_rawseti (cd->L, -2, ++i); + cur = g_list_next (cur); } lua_pushnil (cd->L); @@ -288,6 +290,7 @@ lua_dns_callback (struct rspamd_dns_reply *reply, gpointer arg) elt = cur->data; lua_pushstring (cd->L, elt->txt.data); lua_rawseti (cd->L, -2, ++i); + cur = g_list_next (cur); } lua_pushnil (cd->L); |