fix dn_expand empty name handling and offsets to 0

Empty name was rejected in dn_expand since commit
56b57f37a46dab432247bf29d96fcb11fbd02a6d
which is a regression as reported by Natanael Copa.

Furthermore if an offset pointer in a compressed name
pointed to a terminating 0 byte (instead of a label)
the returned name was not null terminated.

1 files changed, 9 insertions, 6 deletions

diff --git a/src/network/dn_expand.c b/src/network/dn_expand.c
index 849df19a..d9b33936 100644
--- a/src/network/dn_expand.c
+++ b/src/network/dn_expand.c
@@ -4,11 +4,13 @@
 int __dn_expand(const unsigned char *base, const unsigned char *end, const unsigned char *src, char *dest, int space)
 {
 	const unsigned char *p = src;
-	char *dend = dest + (space > 254 ? 254 : space);
+	char *dend, *dbegin = dest;
 	int len = -1, i, j;
-	if (p==end || !*p) return -1;
+	if (p==end || space <= 0) return -1;
+	dend = dest + (space > 254 ? 254 : space);
 	/* detect reference loop using an iteration counter */
 	for (i=0; i < end-base; i+=2) {
+		/* loop invariants: p<end, dest<dend */
 		if (*p & 0xc0) {
 			if (p+1==end) return -1;
 			j = ((p[0] & 0x3f) << 8) | p[1];
@@ -16,11 +18,12 @@ int __dn_expand(const unsigned char *base, const unsigned char *end, const unsig
 			if (j >= end-base) return -1;
 			p = base+j;
 		} else if (*p) {
-			j = *p+1;
-			if (j>=end-p || j>dend-dest) return -1;
-			while (--j) *dest++ = *++p;
-			*dest++ = *++p ? '.' : 0;
+			if (dest != dbegin) *dest++ = '.';
+			j = *p++;
+			if (j >= end-p || j >= dend-dest) return -1;
+			while (j--) *dest++ = *p++;
 		} else {
+			*dest = 0;
 			if (len < 0) len = p+1-src;
 			return len;
 		}