Date: Wed, 22 Mar 2023 09:16:51 -0400 From: Rich Felker <dalias@...c.org> To: Alexey Kodanev <aleksei.kodanev@...l-sw.com> Cc: musl@...ts.openwall.com Subject: Re: [PATCH] dns: check length field in tcp response message On Wed, Mar 22, 2023 at 03:29:16PM +0300, Alexey Kodanev wrote: > The received length field in the message may be greater than the > size of the 'answer' buffer in which the message resides. Currently, > ABUF_SIZE is 768. And if we get a larger 'alen', it will result > in an out-of-bounds reading during parsing, because 'alen' will > be passed to __dns_parse() later: > > __dns_parse(abuf[i], alens[i], dns_parse_callback, &ctx); > > To fix this, limit 'alen' to the size of the received buffer. > --- > src/network/res_msend.c | 1 + > 1 file changed, 1 insertion(+) > > diff --git a/src/network/res_msend.c b/src/network/res_msend.c > index fef7e3a2..291853de 100644 > --- a/src/network/res_msend.c > +++ b/src/network/res_msend.c > @@ -297,6 +297,7 @@ int __res_msend_rc(int nqueries, const unsigned char *const *queries, > int rcode = answers[i] & 15; > if (rcode != 0 && rcode != 3) > goto out; > + if (alen > asize) alen = asize; > > /* Storing the length here commits the accepted answer. > * Immediately close TCP socket so as not to consume > -- > 2.25.1 This is incorrect. It breaks res_send, whose contract is to return the full answer length even if it did not fit, so that the caller can retry with the appropriate size. Instead, name_from_dns just needs to clamp the value before passing it to __dns_parse. Rich
Powered by blists - more mailing lists
Confused about mailing lists and their use? Read about mailing lists on Wikipedia and check out these guidelines on proper formatting of your messages.