Fix pointer loop bug and add descriptive exceptions

gaya-cohen · gaya-cohen · commit c20c82bcb552 · 2021-05-24T15:12:23.000+03:00
diff --git a/include/tins/exceptions.h b/include/tins/exceptions.h
@@ -66,6 +66,19 @@ class malformed_packet : public exception_base {
     malformed_packet() : exception_base("Malformed packet") { }
 };
 
+class DNS_decompression_pointer_out_of_bounds : public exception_base {
+public:
+    DNS_decompression_pointer_out_of_bounds() : exception_base("DNS decompression pointer out of bounds") { }
+};
+
+/**
+ * \brief Exception thrown when a DNS decompression pointer loops.
+ */
+class DNS_decompression_pointer_loops : public exception_base {
+public:
+    DNS_decompression_pointer_loops() : exception_base("DNS decompression pointer loops") { }
+};
+
 /**
  * \brief Exception thrown when serializing a packet fails.
  */
diff --git a/src/dns.cpp b/src/dns.cpp
@@ -336,7 +336,11 @@ uint32_t DNS::compose_name(const uint8_t* ptr, char* out_ptr) const {
     const uint8_t* end = &records_data_[0] + records_data_.size();
     const uint8_t* end_ptr = 0;
     char* current_out_ptr = out_ptr;
+    int pointer_counter = 0;
     while (*ptr) {
+        if (pointer_counter++ > 30){
+            throw DNS_decompression_pointer_loops();
+        }
         // It's an offset
         if ((*ptr & 0xc0)) {
             if (TINS_UNLIKELY(ptr + sizeof(uint16_t) > end)) {
@@ -347,7 +351,7 @@ uint32_t DNS::compose_name(const uint8_t* ptr, char* out_ptr) const {
             index = Endian::be_to_host(index) & 0x3fff;
             // Check that the offset is neither too low or too high
             if (index < 0x0c || (&records_data_[0] + (index - 0x0c)) >= end) {
-                throw malformed_packet();
+                throw DNS_decompression_pointer_out_of_bounds();
             }
             // We've probably found the end of the original domain name. Save it.
             if (end_ptr == 0) {
