From 9f939335a07085aa9a9663efd1dca06ef6405d62 Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?Zbigniew=20J=C4=99drzejewski-Szmek?= <zbyszek@in.waw.pl>
Date: Wed, 25 Oct 2017 11:19:19 +0200
Subject: [PATCH] resolved: fix loop on packets with pseudo dns types

Reported by Karim Hossen & Thomas Imbert from Sogeti ESEC R&D.

https://bugs.launchpad.net/ubuntu/+source/systemd/+bug/1725351

CVE: CVE-2017-15908
Upstream-Status: Backport [https://launchpadlibrarian.net/342808615/resolved-fix-loop-on-packets-with-pseudo-dns-types.patch]

Signed-off-by: Andreas Wellving <andreas.wellving@enea.com>
---
 src/resolve/resolved-dns-packet.c | 6 +-----
 1 file changed, 1 insertion(+), 5 deletions(-)

diff --git a/src/resolve/resolved-dns-packet.c b/src/resolve/resolved-dns-packet.c
index e2f227bfc6..35f4d0689b 100644
--- a/src/resolve/resolved-dns-packet.c
+++ b/src/resolve/resolved-dns-packet.c
@@ -1514,7 +1514,7 @@ static int dns_packet_read_type_window(DnsPacket *p, Bitmap **types, size_t *sta
 
                 found = true;
 
-                while (bitmask) {
+                for (; bitmask; bit++, bitmask >>= 1)
                         if (bitmap[i] & bitmask) {
                                 uint16_t n;
 
@@ -1528,10 +1528,6 @@ static int dns_packet_read_type_window(DnsPacket *p, Bitmap **types, size_t *sta
                                 if (r < 0)
                                         return r;
                         }
-
-                        bit++;
-                        bitmask >>= 1;
-                }
         }
 
         if (!found)