From 56cd5ad14da42f896013269a3226c2f95bf9edc9 Mon Sep 17 00:00:00 2001 From: Daniel Wagner Date: Sun, 16 Jan 2022 14:59:14 +0100 Subject: [PATCH 1/4] dnsproxy: Validate input data before using them dnsproxy is not validating various input data. Add a bunch of checks. Fixes: CVE-2022-23097 Fixes: CVE-2022-23096 --- src/dnsproxy.c | 31 ++++++++++++++++++++++++++----- 1 file changed, 26 insertions(+), 5 deletions(-) diff --git a/src/dnsproxy.c b/src/dnsproxy.c index fbbee0413f8f..cd570d68c8b3 100644 --- a/src/dnsproxy.c +++ b/src/dnsproxy.c @@ -1951,6 +1951,12 @@ static int forward_dns_reply(unsigned char *reply, int reply_len, int protocol, if (offset < 0) return offset; + if (reply_len < 0) + return -EINVAL; + if (reply_len < offset + 1) + return -EINVAL; + if ((size_t)reply_len < sizeof(struct domain_hdr)) + return -EINVAL; hdr = (void *)(reply + offset); dns_id = reply[offset] | reply[offset + 1] << 8; @@ -1986,23 +1992,31 @@ static int forward_dns_reply(unsigned char *reply, int reply_len, int protocol, */ if (req->append_domain && ntohs(hdr->qdcount) == 1) { uint16_t domain_len = 0; - uint16_t header_len; + uint16_t header_len, payload_len; uint16_t dns_type, dns_class; uint8_t host_len, dns_type_pos; char uncompressed[NS_MAXDNAME], *uptr; char *ptr, *eom = (char *)reply + reply_len; + char *domain; /* * ptr points to the first char of the hostname. * ->hostname.domain.net */ header_len = offset + sizeof(struct domain_hdr); + if (reply_len < header_len) + return -EINVAL; + payload_len = reply_len - header_len; + ptr = (char *)reply + header_len; host_len = *ptr; + domain = ptr + 1 + host_len; + if (domain > eom) + return -EINVAL; + if (host_len > 0) - domain_len = strnlen(ptr + 1 + host_len, - reply_len - header_len); + domain_len = strnlen(domain, eom - domain); /* * If the query type is anything other than A or AAAA, @@ -2011,6 +2025,8 @@ static int forward_dns_reply(unsigned char *reply, int reply_len, int protocol, */ dns_type_pos = host_len + 1 + domain_len + 1; + if (ptr + (dns_type_pos + 3) > eom) + return -EINVAL; dns_type = ptr[dns_type_pos] << 8 | ptr[dns_type_pos + 1]; dns_class = ptr[dns_type_pos + 2] << 8 | @@ -2040,6 +2056,8 @@ static int forward_dns_reply(unsigned char *reply, int reply_len, int protocol, int new_len, fixed_len; char *answers; + if (len > payload_len) + return -EINVAL; /* * First copy host (without domain name) into * tmp buffer. @@ -2054,6 +2072,8 @@ static int forward_dns_reply(unsigned char *reply, int reply_len, int protocol, * Copy type and class fields of the question. */ ptr += len + domain_len + 1; + if (ptr + NS_QFIXEDSZ > eom) + return -EINVAL; memcpy(uptr, ptr, NS_QFIXEDSZ); /* @@ -2063,6 +2083,8 @@ static int forward_dns_reply(unsigned char *reply, int reply_len, int protocol, uptr += NS_QFIXEDSZ; answers = uptr; fixed_len = answers - uncompressed; + if (ptr + offset > eom) + return -EINVAL; /* * We then uncompress the result to buffer @@ -2254,8 +2276,7 @@ static gboolean udp_server_event(GIOChannel *channel, GIOCondition condition, len = recv(sk, buf, sizeof(buf), 0); - if (len >= 12) - forward_dns_reply(buf, len, IPPROTO_UDP, data); + forward_dns_reply(buf, len, IPPROTO_UDP, data); return TRUE; } -- 2.34.1