[PATCH] Fix dn_expand pointer following

[PATCH] Fix dn_expand pointer following

[Michael Forney]

---
While looking over the dn_{comp,expand} functions, I noticed that this looked
wrong in dn_expand.

http://www.ietf.org/rfc/rfc1035.txt says that if the first two bits are 1s
(i.e., *p & 0xc0), then the remaining 14 bits specify the offset.

I haven't actually seen this manifest anywhere, and I have only tested up to
compilation.

 src/network/dn_expand.c | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/src/network/dn_expand.c b/src/network/dn_expand.c
index 4e02e3d..96adf37 100644
--- a/src/network/dn_expand.c
+++ b/src/network/dn_expand.c
@@ -10,7 +10,7 @@ int __dn_expand(const unsigned char *base, const unsigned char *end, const unsig
 	for (;;) {
 		if (*p & 0xc0) {
 			if (p+1==end) return -1;
-			j = (p[0]&1) | p[1];
+			j = ((p[0] & 0x3f) << 8) | p[1];
 			if (len < 0) len = p+2-src;
 			if (j >= end-base) return -1;
 			p = base+j;
-- 
1.8.4.2

Re: [PATCH] Fix dn_expand pointer following

[Rich Felker]

On Mon, Nov 04, 2013 at 09:43:57PM -0800, Michael Forney wrote:
> ---
> While looking over the dn_{comp,expand} functions, I noticed that this looked
> wrong in dn_expand.
> 
> http://www.ietf.org/rfc/rfc1035.txt says that if the first two bits are 1s
> (i.e., *p & 0xc0), then the remaining 14 bits specify the offset.

Indeed. The code was just written for internal use in musl, which only
performs UDP queries, limiting the packet size to 512 bytes. Thus only
9 bits can be set in a valid packet. However it probably makes sense
to read the whole value anyway in case the caller of dn_expand was
using tcp or just to better reject invalid packets.

Rich