Date: Mon, 17 Jul 2023 14:48:18 -0400 From: Rich Felker <dalias@...c.org> To: Markus Wichmann <nullplan@....net> Cc: musl@...ts.openwall.com Subject: Re: Erroneous rejection of pointers in __dns_parse On Sun, Jul 16, 2023 at 08:58:04AM +0200, Markus Wichmann wrote: > Hi all, > > __dns_parse() must skip over all domain names in the package as part of > its operation, and it also checks if the domain names end in a pointer, > and the pointer has an offset larger than 510, because then it also > returns failure immediately. That is probably from before the TCP merge, > when the response buffer was a fixed 512 bytes. Now it is 768, so > pointers can have an offset of up to 766. Except they cannot have an > offset larger than rlen-2 in any case. Following commit 12590c8bbd04ea484cee86812e2258fbdfca0e59, does the attached fix seem ok? > I am not quite sure what the point of invalid pointer detection in > __dns_parse() is, given that if the name ever actually matters, > __dn_expand() will reject it in its operation. But the hardcoded limit > in __dns_parse() means that packages from TCP cannot contain pointers > that reference the last third of the buffer. > > On a related note, I see that a malformed packet can send __dn_expand() > into an infinite loop: If a pointer points to another pointer, they can > form a loop. The loop can be arbitrarily complex, so history tracking > would do no good. I think it would be a good idea to reject pointers to > pointers in that function. Because then every pointer must cause at > least two bytes to be written to the destination buffer, so it would be > exhausted at some point, and that's also an abort condition. The comment on line 11 indicates how the loop is precluded. Do you think it's incorrect? Rich View attachment "dns_parse.diff" of type "text/plain" (668 bytes)
Powered by blists - more mailing lists
Confused about mailing lists and their use? Read about mailing lists on Wikipedia and check out these guidelines on proper formatting of your messages.