From ad3ba8838d82267cbafa5d293b86e2eef41fa9c5 Mon Sep 17 00:00:00 2001
From: cinap_lenrek <cinap_lenrek@felloff.net>
Date: Thu, 28 Nov 2013 23:47:49 +0100
Subject: ndb/dns: check bad name length in convM2DNS.c:^gname()

---
 sys/src/cmd/ndb/convM2DNS.c | 10 +++++++---
 1 file changed, 7 insertions(+), 3 deletions(-)

(limited to 'sys/src/cmd/ndb/convM2DNS.c')

diff --git a/sys/src/cmd/ndb/convM2DNS.c b/sys/src/cmd/ndb/convM2DNS.c
index c2b94c98d..d920462ce 100644
--- a/sys/src/cmd/ndb/convM2DNS.c
+++ b/sys/src/cmd/ndb/convM2DNS.c
@@ -226,17 +226,21 @@ gname(char *to, RR *rp, Scan *sp)
 		goto err;
 	pointer = 0;
 	p = sp->p;
-	if (p == nil) {
+	if(p == nil) {
 		dnslog("gname: %R: nil sp->p", rp);
 		goto err;
 	}
 	toend = to + Domlen;
 	for(len = 0; *p && p < sp->ep; len += (pointer? 0: n+1)) {
 		n = 0;
-		switch (*p & 0300) {
+		switch(*p & 0300) {
 		case 0:			/* normal label */
-			if (p < sp->ep)
+			if(p < sp->ep)
 				n = *p++ & 077;		/* pick up length */
+			if(sp->ep - p <= n){
+				sp->err = "bad name length";
+				goto err;
+			}
 			if(len + n < Domlen - 1){
 				if(n > toend - to){
 					errtoolong(rp, sp, toend - to, n,
-- 
cgit v1.2.3