From c20c82bcb5521c6050580523d31f56a9ef361f56 Mon Sep 17 00:00:00 2001 From: Gaya Cohen Date: Mon, 24 May 2021 15:12:23 +0300 Subject: [PATCH] Fix pointer loop bug and add descriptive exceptions --- include/tins/exceptions.h | 13 +++++++++++++ src/dns.cpp | 6 +++++- 2 files changed, 18 insertions(+), 1 deletion(-) diff --git a/include/tins/exceptions.h b/include/tins/exceptions.h index 844439b..3ef91ba 100644 --- a/include/tins/exceptions.h +++ b/include/tins/exceptions.h @@ -66,6 +66,19 @@ public: malformed_packet() : exception_base("Malformed packet") { } }; +class DNS_decompression_pointer_out_of_bounds : public exception_base { +public: + DNS_decompression_pointer_out_of_bounds() : exception_base("DNS decompression pointer out of bounds") { } +}; + +/** + * \brief Exception thrown when a DNS decompression pointer loops. + */ +class DNS_decompression_pointer_loops : public exception_base { +public: + DNS_decompression_pointer_loops() : exception_base("DNS decompression pointer loops") { } +}; + /** * \brief Exception thrown when serializing a packet fails. */ diff --git a/src/dns.cpp b/src/dns.cpp index 46712e7..759ddde 100644 --- a/src/dns.cpp +++ b/src/dns.cpp @@ -336,7 +336,11 @@ uint32_t DNS::compose_name(const uint8_t* ptr, char* out_ptr) const { const uint8_t* end = &records_data_[0] + records_data_.size(); const uint8_t* end_ptr = 0; char* current_out_ptr = out_ptr; + int pointer_counter = 0; while (*ptr) { + if (pointer_counter++ > 30){ + throw DNS_decompression_pointer_loops(); + } // It's an offset if ((*ptr & 0xc0)) { if (TINS_UNLIKELY(ptr + sizeof(uint16_t) > end)) { @@ -347,7 +351,7 @@ uint32_t DNS::compose_name(const uint8_t* ptr, char* out_ptr) const { index = Endian::be_to_host(index) & 0x3fff; // Check that the offset is neither too low or too high if (index < 0x0c || (&records_data_[0] + (index - 0x0c)) >= end) { - throw malformed_packet(); + throw DNS_decompression_pointer_out_of_bounds(); } // We've probably found the end of the original domain name. Save it. if (end_ptr == 0) {