Merge pull request #4813 from haesbaert/dns-fixes

Fix some compression bugs in dns.

1 files changed, 15 insertions, 8 deletions

diff --git a/core/net/dns.odin b/core/net/dns.odin
index 6d5dfea23..3730b8e94 100644
--- a/core/net/dns.odin
+++ b/core/net/dns.odin
@@ -533,18 +533,21 @@ decode_hostname :: proc(packet: []u8, start_idx: int, allocator := context.alloc
 			return
 		}
 
-		if packet[cur_idx] > 63 && packet[cur_idx] != 0xC0 {
-			return
-		}
-
-		switch packet[cur_idx] {
+		switch {
 
-		// This is a offset to more data in the packet, jump to it
-		case 0xC0:
+		// A pointer is when the two higher bits are set.
+		case packet[cur_idx] & 0xC0 == 0xC0:
+			if len(packet[cur_idx:]) < 2 {
+				return
+			}
 			pkt := packet[cur_idx:cur_idx+2]
 			val := (^u16be)(raw_data(pkt))^
 			offset := int(val & 0x3FFF)
-			if offset > len(packet) {
+			// RFC 9267 a ptr should only point backwards, enough to avoid infinity.
+			// "The offset at which this octet is located must be smaller than the offset
+			// at which the compression pointer is located". Still keep iteration_max to
+			// avoid tiny jumps.
+			if offset > len(packet) || offset >= cur_idx {
 				return
 			}
 
@@ -555,6 +558,10 @@ decode_hostname :: proc(packet: []u8, start_idx: int, allocator := context.alloc
 				level += 1
 			}
 
+		// Validate label len
+		case packet[cur_idx] > LABEL_MAX:
+			return
+
 		// This is a label, insert it into the hostname
 		case:
 			label_size := int(packet[cur_idx])