From 16719c1a7078421928e6d31dd1dec574825ef515 Mon Sep 17 00:00:00 2001
From: Waldemar Brodkorb <wbx@openadk.org>
Date: Sun, 17 Jan 2016 15:47:22 +0100
Subject: [PATCH] Do not follow compressed items forever.

It is possible to get stuck in an infinite loop when receiving a
specially crafted DNS reply. Exit the loop after a number of iteration
and consider the packet invalid.

Signed-off-by: Daniel Fahlgren <daniel@fahlgren.se>
Signed-off-by: Waldemar Brodkorb <wbx@uclibc-ng.org>

Upstream-status: Backport
http://repo.or.cz/uclibc-ng.git/commit/16719c1a7078421928e6d31dd1dec574825ef515

CVE: CVE-2016-2224
Signed-off-by: Armin Kuster <akuster@mvista.com>

---
 libc/inet/resolv.c | 5 ++++-
 1 file changed, 4 insertions(+), 1 deletion(-)

Index: git/libc/inet/resolv.c
===================================================================
--- git.orig/libc/inet/resolv.c
+++ git/libc/inet/resolv.c
@@ -666,11 +666,12 @@ int __decode_dotted(const unsigned char
 	bool measure = 1;
 	unsigned total = 0;
 	unsigned used = 0;
+	unsigned maxiter = 256;
 
 	if (!packet)
 		return -1;
 
-	while (1) {
+	while (--maxiter) {
 		if (offset >= packet_len)
 			return -1;
 		b = packet[offset++];
@@ -707,6 +708,8 @@ int __decode_dotted(const unsigned char
 		else
 			dest[used++] = '\0';
 	}
+	if (!maxiter)
+		return -1;
 
 	/* The null byte must be counted too */
 	if (measure)