DNS: break out of DNSResponseGetNameByOffset if we're in there too long. Can happen on bad data.

12 years ago · 91fb47475b
parent aa26dae5a1
commit 91fb47475b
1 changed files with 5 additions and 0 deletions
--- a/src/app-layer-dns-common.c
+++ b/src/app-layer-dns-common.c
@ -390,6 +390,7 @@ static uint16_t DNSResponseGetNameByOffset(const uint8_t * const input, const ui
        goto insufficient_data;
    }

+    int steps = 0;
    uint16_t fqdn_offset = 0;
    uint8_t length = *(input + offset);
    const uint8_t *qdata = input + offset;
@ -437,12 +438,16 @@ static uint16_t DNSResponseGetNameByOffset(const uint8_t * const input, const ui

        length = *qdata;
        SCLogDebug("qry length %u", length);
+        steps++;
+        if (steps >= 255)
+            goto bad_data;
    }
    if (fqdn_offset) {
        fqdn_offset--;
    }
    //PrintRawDataFp(stdout, fqdn, fqdn_offset);
    SCReturnUInt(fqdn_offset);
+bad_data:
 insufficient_data:
    SCReturnUInt(0U);
 }