From 2410aba47047ec89dfb7315e032f3d26ce2ffb45 Mon Sep 17 00:00:00 2001
From: Andrei Litvin <andy314@gmail.com>
Date: Thu, 2 May 2024 15:06:07 -0400
Subject: [PATCH] Fix off-by-one in look checks for QName iterators. (#33273)

Unit test sizes for the string `test` were off by one which
masked a off-by-one comparison in QName handling.

Update unit test and comparisons. This will disallow
backward references to "self" for qnames.

Co-authored-by: Andrei Litvin <andreilitvin@google.com>
---
 src/lib/dnssd/minimal_mdns/core/QName.cpp           | 2 +-
 src/lib/dnssd/minimal_mdns/core/tests/TestQName.cpp | 6 +++---
 2 files changed, 4 insertions(+), 4 deletions(-)

diff --git a/src/lib/dnssd/minimal_mdns/core/QName.cpp b/src/lib/dnssd/minimal_mdns/core/QName.cpp
index 94a15bb4e8bba8..71b922ba925473 100644
--- a/src/lib/dnssd/minimal_mdns/core/QName.cpp
+++ b/src/lib/dnssd/minimal_mdns/core/QName.cpp
@@ -61,7 +61,7 @@ bool SerializedQNameIterator::Next(bool followIndirectPointers)
             }
 
             size_t offset = ((*mCurrentPosition & 0x3F) << 8) | *(mCurrentPosition + 1);
-            if (offset > mLookBehindMax)
+            if (offset >= mLookBehindMax)
             {
                 // Potential infinite recursion.
                 mIsValid = false;
diff --git a/src/lib/dnssd/minimal_mdns/core/tests/TestQName.cpp b/src/lib/dnssd/minimal_mdns/core/tests/TestQName.cpp
index da2f91013b3217..7f103c801dab75 100644
--- a/src/lib/dnssd/minimal_mdns/core/tests/TestQName.cpp
+++ b/src/lib/dnssd/minimal_mdns/core/tests/TestQName.cpp
@@ -136,7 +136,7 @@ void InvalidReferencing(nlTestSuite * inSuite, void * inContext)
 
     {
         // Infinite recursion
-        static const uint8_t kData[] = "\03test\xc0\x00";
+        static const uint8_t kData[] = "\04test\xc0\x00";
         SerializedQNameIterator it   = AsSerializedQName(kData);
 
         NL_TEST_ASSERT(inSuite, it.Next());
@@ -146,7 +146,7 @@ void InvalidReferencing(nlTestSuite * inSuite, void * inContext)
 
     {
         // Infinite recursion by referencing own element (inside the stream)
-        static const uint8_t kData[] = "\03test\xc0\x05";
+        static const uint8_t kData[] = "\04test\xc0\x05";
         SerializedQNameIterator it   = AsSerializedQName(kData);
 
         NL_TEST_ASSERT(inSuite, it.Next());
@@ -165,7 +165,7 @@ void InvalidReferencing(nlTestSuite * inSuite, void * inContext)
 
     {
         // Reference that goes forwad instead of backward
-        static const uint8_t kData[] = "\03test\xc0\x07";
+        static const uint8_t kData[] = "\04test\xc0\x07";
         SerializedQNameIterator it   = AsSerializedQName(kData);
 
         NL_TEST_ASSERT(inSuite, it.Next());