Follow @Openwall on Twitter for new release announcements and other news
[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list]
Message-ID: <20230322140735.GX4163@brightrain.aerifal.cx>
Date: Wed, 22 Mar 2023 10:07:35 -0400
From: Rich Felker <dalias@...c.org>
To: Alexey Kodanev <aleksei.kodanev@...l-sw.com>
Cc: musl@...ts.openwall.com
Subject: Re: [PATCH] dns: check length field in tcp response message

On Wed, Mar 22, 2023 at 04:48:00PM +0300, Alexey Kodanev wrote:
> Hi Rich,
> On 22.03.2023 16:16, Rich Felker wrote:
> > On Wed, Mar 22, 2023 at 03:29:16PM +0300, Alexey Kodanev wrote:
> >> The received length field in the message may be greater than the
> >> size of the 'answer' buffer in which the message resides. Currently,
> >> ABUF_SIZE is 768. And if we get a larger 'alen', it will result
> >> in an out-of-bounds reading during parsing, because 'alen' will
> >> be passed to __dns_parse() later:
> >>
> >>     __dns_parse(abuf[i], alens[i], dns_parse_callback, &ctx);
> >>
> >> To fix this, limit 'alen' to the size of the received buffer.
> >> ---
> >>  src/network/res_msend.c | 1 +
> >>  1 file changed, 1 insertion(+)
> >>
> >> diff --git a/src/network/res_msend.c b/src/network/res_msend.c
> >> index fef7e3a2..291853de 100644
> >> --- a/src/network/res_msend.c
> >> +++ b/src/network/res_msend.c
> >> @@ -297,6 +297,7 @@ int __res_msend_rc(int nqueries, const unsigned char *const *queries,
> >>  			int rcode = answers[i][3] & 15;
> >>  			if (rcode != 0 && rcode != 3)
> >>  				goto out;
> >> +			if (alen > asize) alen = asize;
> >>  
> >>  			/* Storing the length here commits the accepted answer.
> >>  			 * Immediately close TCP socket so as not to consume
> >> -- 
> >> 2.25.1
> > 
> > This is incorrect. It breaks res_send, whose contract is to return the
> > full answer length even if it did not fit, so that the caller can
> > retry with the appropriate size.
> > 
> > Instead, name_from_dns just needs to clamp the value before passing it
> > to __dns_parse.
> > 
> 
> OK, I see, something like this or better with sizeof *abuf?
> 
> diff --git a/src/network/lookup_name.c b/src/network/lookup_name.c
> index 5f6867cb..65b3e8fb 100644
> --- a/src/network/lookup_name.c
> +++ b/src/network/lookup_name.c
> @@ -175,6 +175,7 @@ static int name_from_dns(struct address buf[static MAXADDRS], char canon[static
>                 if (alens[i] < 4 || (abuf[i][3] & 15) == 2) return EAI_AGAIN;
>                 if ((abuf[i][3] & 15) == 3) return 0;
>                 if ((abuf[i][3] & 15) != 0) return EAI_FAIL;
> +               if (alens[i] > ABUF_SIZE) alens[i] = ABUF_SIZE;
>         }
> 
>         for (i=nq-1; i>=0; i--) {

I don't think it matters a whole lot which you use. sizeof abuf[i]
might be the most clear. But I would move it down to the next loop
that's about use of the results rather than the error-checking loop.

Rich

Powered by blists - more mailing lists

Confused about mailing lists and their use? Read about mailing lists on Wikipedia and check out these guidelines on proper formatting of your messages.