PERFORCE change 125018 for review

Fredrik Lindberg fli at FreeBSD.org
Fri Aug 10 08:37:30 PDT 2007 

http://perforce.freebsd.org/chv.cgi?CH=125018

Change 125018 by fli at fli_nexus on 2007/08/10 15:37:24

	Limit number of "pointer jumps" in the name decompresstion code
	to 128 which is the maximum number of jumps any valid name could have.

Affected files ...

.. //depot/projects/soc2007/fli-mdns_sd/mdnsd/stack_packet.c#10 edit

Differences ...

==== //depot/projects/soc2007/fli-mdns_sd/mdnsd/stack_packet.c#10 (text+ko) ====

@@ -307,18 +307,11 @@
 }
 
 /*
- * Expand/translate a series of labels into a human
- * readable domain name, it also expands domain name compression.
- *
- * name   - Pointer to start of name (inside buf)
- * dst    - Destination buffer (where to store the expanded name)
- * dstlen - Size of destination buffer (MDNS_RECORD_LEN)
- * buf    - Packet buffer
- * pkglen - Packet length
+ * Real decompression routine
  */
 static int
-name_decompress(char *name, char *dst, size_t dstlen, char *buf,
-    size_t pkglen)
+decompress(char *name, char *dst, size_t dstlen, char *buf,
+    size_t pkglen, int ptrjmp)
 {
 	char *p, *q, val;
 	uint16_t offset;
@@ -333,8 +326,10 @@
 			offset = ntohs(MDNS_READ2(p)) & ~0xc000;
 			if (offset > pkglen || (buf + offset) == name)
 				return (-1);
-			return (name_decompress(buf + offset, q, dstlen - i,
-				buf, pkglen));
+			else if (++ptrjmp > 128)
+				return (-1);
+			return (decompress(buf + offset, q, dstlen - i,
+				buf, pkglen, ptrjmp));
 		}
 		val = *p & 0x3f;
 		if ((p + val + 1) > (buf + pkglen))
@@ -351,6 +346,25 @@
 }
 
 /*
+ * Expand/translate a series of labels into a human
+ * readable domain name, it also expands domain name compression.
+ *
+ * name   - Pointer to start of name (inside buf)
+ * dst    - Destination buffer (where to store the expanded name)
+ * dstlen - Size of destination buffer (MDNS_RECORD_LEN)
+ * buf    - Packet buffer
+ * pkglen - Packet length
+ */
+static int
+name_decompress(char *name, char *dst, size_t dstlen, char *buf,
+    size_t pkglen)
+{
+	int ptrjmp = 0;
+
+	return (decompress(name, dst, dstlen, buf, pkglen, ptrjmp));
+}
+
+/*
  * Some resource types requires special attention as their resource data
  * contains names that might have been name compressed.
  */

More information about the p4-projects mailing list