RepoMirrors
/
haproxy
mirror of http://git.haproxy.org/git/haproxy.git/
1
0
Fork 0
Code Issues Packages Projects Releases Wiki Activity

BUG: dns: Prevent stack-exhaustion via recursion loop in dns_read_name 

When a compressed pointer is encountered, dns_read_name() will call
itself with the pointed-to offset in the packet.
With a specially crafted packet, it was possible to trigger an
infinite-loop recursion by making the pointer points to itself.
While it would be possible to handle that particular case differently
by making sure that the target is different from the current offset,
it would still be possible to craft a packet with a very long chain
of valid pointers, always pointing backwards. To prevent a stack
exhaustion in that case, this patch restricts the number of recursive
calls to 100, which should be more than enough.

To be backported to 1.8, probably also 1.7.
This commit is contained in:
Remi Gacogne 2018-12-05 17:52:54 +01:00 committed by Willy Tarreau
parent adb2220041
commit 58df5aea0a
1 changed files with 9 additions and 6 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

15
src/dns.c
View File

@ -394,7 +394,7 @@ static inline unsigned short dns_response_get_query_id(unsigned char *resp)
*/
int dns_read_name(unsigned char *buffer, unsigned char *bufend,
unsigned char *name, char *destination, int dest_len,
int *offset)
int *offset, unsigned int depth)
{
int nb_bytes = 0, n = 0;
int label_len;
@ -408,8 +408,11 @@ int dns_read_name(unsigned char *buffer, unsigned char *bufend,
if ((buffer + reader[1]) > reader)
goto err;
if (depth++ > 100)
goto err;
n = dns_read_name(buffer, bufend, buffer + reader[1],
dest, dest_len - nb_bytes, offset);
dest, dest_len - nb_bytes, offset, depth);
if (n == 0)
goto err;
@ -695,7 +698,7 @@ static int dns_validate_dns_response(unsigned char *resp, unsigned char *bufend,
* one query per response and the first one can't be compressed
* (using the 0x0c format) */
offset = 0;
len = dns_read_name(resp, bufend, reader, dns_query->name, DNS_MAX_NAME_SIZE, &offset);
len = dns_read_name(resp, bufend, reader, dns_query->name, DNS_MAX_NAME_SIZE, &offset, 0);
if (len == 0)
return DNS_RESP_INVALID;
@ -732,7 +735,7 @@ static int dns_validate_dns_response(unsigned char *resp, unsigned char *bufend,
return (DNS_RESP_INVALID);
offset = 0;
len = dns_read_name(resp, bufend, reader, tmpname, DNS_MAX_NAME_SIZE, &offset);
len = dns_read_name(resp, bufend, reader, tmpname, DNS_MAX_NAME_SIZE, &offset, 0);
if (len == 0) {
pool_free(dns_answer_item_pool, dns_answer_record);
@ -829,7 +832,7 @@ static int dns_validate_dns_response(unsigned char *resp, unsigned char *bufend,
}
offset = 0;
len = dns_read_name(resp, bufend, reader, tmpname, DNS_MAX_NAME_SIZE, &offset);
len = dns_read_name(resp, bufend, reader, tmpname, DNS_MAX_NAME_SIZE, &offset, 0);
if (len == 0) {
pool_free(dns_answer_item_pool, dns_answer_record);
return DNS_RESP_INVALID;
@ -859,7 +862,7 @@ static int dns_validate_dns_response(unsigned char *resp, unsigned char *bufend,
dns_answer_record->port = read_n16(reader);
reader += sizeof(uint16_t);
offset = 0;
len = dns_read_name(resp, bufend, reader, tmpname, DNS_MAX_NAME_SIZE, &offset);
len = dns_read_name(resp, bufend, reader, tmpname, DNS_MAX_NAME_SIZE, &offset, 0);
if (len == 0) {
pool_free(dns_answer_item_pool, dns_answer_record);
return DNS_RESP_INVALID;