disallow forward compression pointers

dns.unpack-labels.js

@@ -9,7 +9,7 @@
 //
 // NOTE:
 // "NAME"s are terminated with 0x00
-// "RDATA" is terminated by its length
+// "RDATA" is terminated by its length, but its labels may null-terminated
 exports.DNS_UNPACK_LABELS = function (ui8, ptr, q) {
   if (q.cpcount > 25) {
     throw new Error("compression pointer loop detected (over 25 pointers seems like a loop)");
@@ -37,13 +37,23 @@ exports.DNS_UNPACK_LABELS = function (ui8, ptr, q) {
       // The remaining bits may be used to specify the address of the pointer
       // (it would seem that only 1 extra bit is actually used since the message size is 512 bytes)
       var cpptr = ((ui8[total] & 0x3f) << 8) |  ui8[total + 1];
+      if (cpptr >= total) {
+        throw new Error(
+          "Compression pointer at"
+        + " 0x" + total.toString() + " (" + total + ")"
+        + " points forward to"
+        + " 0x" + cpptr.toString(16) + " (" + cpptr + ")"
+        );
+      }
 
       // We're not coming back, so if this is the first time we're following one of
       // these pointers we up the byteLength to mark the pointer as part of the label
       if (!q.cpcount) {
         q.byteLength += 2; // cp and len
+        //q.cps = [];
       }
       q.cpcount += 1;
+      //q.cps.push(cpptr);
 
       // recursion
       return exports.DNS_UNPACK_LABELS(ui8, cpptr, q);