Avoid a stack overflow in dns.lua. A "compressed" DNS message can have its

pointers arranged to form a loop. We put a limit on the number of pointers we're willing to follow.
2025-12-25 08:59:01 +00:00 · 2008-11-19 19:59:51 +00:00
parent a7629c94db
commit f8987ac849
1 changed files with 34 additions and 17 deletions
--- a/nselib/dns.lua
+++ b/nselib/dns.lua
@@ -477,26 +477,43 @@ end
 -- Decodes a domain in a DNS packet. Handles "compressed" data too.
 -- @param data Complete DNS packet.
 -- @param pos Starting position in packet.
-- @return Position after decoding. 
-- @return Decoded domain.
+-- @return Position after decoding.
+-- @return Decoded domain, or <code>nil</code> on error.
 local function decStr(data, pos)
-   local partlen
-   local parts = {}
-   local part
-   pos, partlen = bin.unpack(">C", data, pos)
-   while (partlen ~= 0) do
-      if (partlen < 64) then 
-         pos, part = bin.unpack("A" .. partlen, data, pos)
-         table.insert(parts, part)
-         pos, partlen = bin.unpack(">C", data, pos)
-      else
-         pos, partlen = bin.unpack(">S", data, pos - 1)
-         local _, part = decStr(data, partlen - 0xC000 + 1)
-         table.insert(parts, part)
-         partlen = 0
+   local function dec(data, pos, limit)
+      local partlen
+      local parts = {}
+      local part
+
+      -- Avoid infinite recursion on malformed compressed messages.
+      limit = limit or 1
+      if limit < 0 then
+         return pos, nil
      end
+
+      pos, partlen = bin.unpack(">C", data, pos)
+      while (partlen ~= 0) do
+         if (partlen < 64) then 
+            pos, part = bin.unpack("A" .. partlen, data, pos)
+            if part == nil then
+               return pos
+            end
+            table.insert(parts, part)
+            pos, partlen = bin.unpack(">C", data, pos)
+         else
+            pos, partlen = bin.unpack(">S", data, pos - 1)
+            local _, part = dec(data, partlen - 0xC000 + 1, limit - 1)
+            if part == nil then
+               return pos
+            end
+            table.insert(parts, part)
+            partlen = 0
+         end
+      end
+      return pos, table.concat(parts, ".")
   end
-   return pos, table.concat(parts, ".")
+
+   return dec(data, pos)
 end