bug 1451928 - loop detection added for the TRR CNAME parser r?valentin
MozReview-Commit-ID: 8vLjS7hOYKU
--- a/netwerk/dns/TRR.cpp
+++ b/netwerk/dns/TRR.cpp
@@ -617,16 +617,17 @@ TRR::DohDecode()
break;
case TRRTYPE_NS:
break;
case TRRTYPE_CNAME:
if (mCname.IsEmpty()) {
uint8_t clength = 0;
unsigned int cindex = index;
+ unsigned int loop = 128; // a valid DNS name can never loop this much
do {
if (cindex >= mBodySize) {
LOG(("TRR: bad cname packet\n"));
return NS_ERROR_ILLEGAL_VALUE;
}
clength = static_cast<uint8_t>(mResponse[cindex]);
if ((clength & 0xc0) == 0xc0) {
// name pointer, get the new offset (14 bits)
@@ -649,17 +650,22 @@ TRR::DohDecode()
mCname.Append(".");
}
if ((cindex + clength) > mBodySize) {
return NS_ERROR_ILLEGAL_VALUE;
}
mCname.Append((const char *)(&mResponse[cindex]), clength);
cindex += clength; // skip label
}
- } while (clength);
+ } while (clength && --loop);
+
+ if (!loop) {
+ LOG(("TRR::DohDecode pointer loop error\n"));
+ return NS_ERROR_ILLEGAL_VALUE;
+ }
LOG(("TRR::DohDecode CNAME host %s => %s\n",
host.get(), mCname.get()));
}
else {
LOG(("TRR::DohDecode CNAME - ignoring another entry\n"));
}
break;