Resolver: fixed label types handling in ngx_resolver_copy().

Previously, anything with any of the two high bits set were interpreted
as compression pointers.  This is incorrect, as RFC 1035 clearly states
that "The 10 and 01 combinations are reserved for future use".  Further,
the 01 combination is actually allocated for EDNS extended label type
(see RFC 2671 and RFC 6891), not really used though.

Fix is to reject unrecognized label types rather than misinterpreting
them as compression pointers.

diff --git a/src/core/ngx_resolver.c b/src/core/ngx_resolver.c
index 9b131723475e6dc4ef16e2dbcb25ded51f5294a4..12dab09ea8534d9dfca33b1aa98938c2e55c89cd 100644 (file)
--- a/src/core/ngx_resolver.c
+++ b/src/core/ngx_resolver.c
@@ -3958,6 +3958,11 @@ ngx_resolver_copy(ngx_resolver_t *r, ngx_str_t *name, u_char *buf, u_char *src,
         }
 
         if (n & 0xc0) {
+            if ((n & 0xc0) != 0xc0) {
+                err = "invalid label type in DNS response";
+                goto invalid;
+            }
+
             if (p >= last) {
                 err = "name is out of DNS response";
                 goto invalid;