From cde34cac9d87c37b33c19eede3ed49ac3f465a18 Mon Sep 17 00:00:00 2001
From: Yusuke Endoh <mame@ruby-lang.org>
Date: Tue, 8 Jul 2025 16:19:30 +0900
Subject: [PATCH] Limit decompressed name length

RFC 1035 specifies the 255-octet maximum name length. This change set
checks the limit.
---
 lib/resolv.rb           | 6 +++++-
 test/resolv/test_dns.rb | 7 +++++++
 2 files changed, 12 insertions(+), 1 deletion(-)

--- a/lib/resolv.rb
+++ b/lib/resolv.rb
@@ -1623,6 +1623,7 @@ class Resolv
           prev_index = @index
           save_index = nil
           d = []
+          size = -1
           while true
             raise DecodeError.new("limit exceeded") if @limit <= @index
             case @data.getbyte(@index)
@@ -1643,7 +1644,10 @@ class Resolv
               end
               @index = idx
             else
-              d << self.get_label
+              l = self.get_label
+              d << l
+              size += 1 + l.string.bytesize
+              raise DecodeError.new("name label data exceed 255 octets") if size > 255
             end
           end
         end
--- a/test/resolv/test_dns.rb
+++ b/test/resolv/test_dns.rb
@@ -386,6 +386,13 @@ class TestResolvDNS < Test::Unit::TestCa
     assert_operator(2**14, :<, m.to_s.length)
   end
 
+  def test_too_long_address
+    too_long_address_message = [0, 0, 1, 0, 0, 0].pack("n*") + "\x01x" * 129 + [0, 0, 0].pack("cnn")
+    assert_raise_with_message(Resolv::DNS::DecodeError, /name label data exceed 255 octets/) do
+      Resolv::DNS::Message.decode too_long_address_message
+    end
+  end
+
   def assert_no_fd_leak
     socket = assert_throw(self) do |tag|
       Resolv::DNS.stub(:bind_random_port, ->(s, *) {throw(tag, s)}) do