ref: 014b9a62ac919b4f7ada38b8649f6a4a062cd207
parent: 4bc5793a2c0a02ad85b853904603c896c3c77fb5
author: Ori Bernstein <[email protected]>
date: Sat Oct 14 13:50:55 EDT 2023
idn: fix crash with long domain names When a domain name gets long enough, we can end up passing a remaining length of 0 to seprint. When seprint has no buffer space at all, it returns nil, which then crashes our DNS server. This checks for a nil return from seprint and returns an error
--- a/sys/src/libc/9sys/idn.c
+++ b/sys/src/libc/9sys/idn.c
@@ -211,7 +211,8 @@
if(cistrncmp(cp, "xn--", 4) == 0)
if((nr = punydecode(nc-4, cp+4, nelem(rb), rb)) < 0)
return -1;
- dp = seprint(dp, de, "%.*S", nr, rb);
+ if((dp = seprint(dp, de, "%.*S", nr, rb)) == nil)
+ return -1;
if(dp >= de)
return -1;
if(cp[nc] == 0)
@@ -251,10 +252,12 @@
rb[nr++] = r;
nc += n;
}
- if(nc == nr)
- dp = seprint(dp, de, "%.*s", nc, cp);
- else {
- dp = seprint(dp, de, "xn--");
+ if(nc == nr){
+ if((dp = seprint(dp, de, "%.*s", nc, cp)) == nil)
+ return -1;
+ }else{
+ if((dp = seprint(dp, de, "xn--")) == nil)
+ return -1;
if((n = punyencode(nr, rb, de - dp, dp)) < 0)
return -1;
dp += n;