From 58df5aea0a0c926b2238f65908f5e9f83d1cca25 Mon Sep 17 00:00:00 2001 From: Remi Gacogne Date: Wed, 5 Dec 2018 17:52:54 +0100 Subject: [PATCH] BUG: dns: Prevent stack-exhaustion via recursion loop in dns_read_name When a compressed pointer is encountered, dns_read_name() will call itself with the pointed-to offset in the packet. With a specially crafted packet, it was possible to trigger an infinite-loop recursion by making the pointer points to itself. While it would be possible to handle that particular case differently by making sure that the target is different from the current offset, it would still be possible to craft a packet with a very long chain of valid pointers, always pointing backwards. To prevent a stack exhaustion in that case, this patch restricts the number of recursive calls to 100, which should be more than enough. To be backported to 1.8, probably also 1.7. --- src/dns.c | 15 +++++++++------ 1 file changed, 9 insertions(+), 6 deletions(-) diff --git a/src/dns.c b/src/dns.c index 2a53c038c3..50fc16e09f 100644 --- a/src/dns.c +++ b/src/dns.c @@ -394,7 +394,7 @@ static inline unsigned short dns_response_get_query_id(unsigned char *resp) */ int dns_read_name(unsigned char *buffer, unsigned char *bufend, unsigned char *name, char *destination, int dest_len, - int *offset) + int *offset, unsigned int depth) { int nb_bytes = 0, n = 0; int label_len; @@ -408,8 +408,11 @@ int dns_read_name(unsigned char *buffer, unsigned char *bufend, if ((buffer + reader[1]) > reader) goto err; + if (depth++ > 100) + goto err; + n = dns_read_name(buffer, bufend, buffer + reader[1], - dest, dest_len - nb_bytes, offset); + dest, dest_len - nb_bytes, offset, depth); if (n == 0) goto err; @@ -695,7 +698,7 @@ static int dns_validate_dns_response(unsigned char *resp, unsigned char *bufend, * one query per response and the first one can't be compressed * (using the 0x0c format) */ offset = 0; - len = dns_read_name(resp, bufend, reader, dns_query->name, DNS_MAX_NAME_SIZE, &offset); + len = dns_read_name(resp, bufend, reader, dns_query->name, DNS_MAX_NAME_SIZE, &offset, 0); if (len == 0) return DNS_RESP_INVALID; @@ -732,7 +735,7 @@ static int dns_validate_dns_response(unsigned char *resp, unsigned char *bufend, return (DNS_RESP_INVALID); offset = 0; - len = dns_read_name(resp, bufend, reader, tmpname, DNS_MAX_NAME_SIZE, &offset); + len = dns_read_name(resp, bufend, reader, tmpname, DNS_MAX_NAME_SIZE, &offset, 0); if (len == 0) { pool_free(dns_answer_item_pool, dns_answer_record); @@ -829,7 +832,7 @@ static int dns_validate_dns_response(unsigned char *resp, unsigned char *bufend, } offset = 0; - len = dns_read_name(resp, bufend, reader, tmpname, DNS_MAX_NAME_SIZE, &offset); + len = dns_read_name(resp, bufend, reader, tmpname, DNS_MAX_NAME_SIZE, &offset, 0); if (len == 0) { pool_free(dns_answer_item_pool, dns_answer_record); return DNS_RESP_INVALID; @@ -859,7 +862,7 @@ static int dns_validate_dns_response(unsigned char *resp, unsigned char *bufend, dns_answer_record->port = read_n16(reader); reader += sizeof(uint16_t); offset = 0; - len = dns_read_name(resp, bufend, reader, tmpname, DNS_MAX_NAME_SIZE, &offset); + len = dns_read_name(resp, bufend, reader, tmpname, DNS_MAX_NAME_SIZE, &offset, 0); if (len == 0) { pool_free(dns_answer_item_pool, dns_answer_record); return DNS_RESP_INVALID;