[riot-notifications] [RIOT-OS/RIOT] sock_dns: fix out-of-bound errors (#10740)

PyroPeter notifications at github.com
Wed Jan 9 21:09:34 CET 2019


pyropeter commented on this pull request.



> @@ -95,6 +95,10 @@ static int _parse_dns_reply(uint8_t *buf, size_t len, void* addr_out, int family
 
     /* skip all queries that are part of the reply */
     for (unsigned n = 0; n < ntohs(hdr->qdcount); n++) {
+        if (bufpos >= (buf + len)) {
+            /* out-of-bound */
+            return -EBADMSG;
+        }
         bufpos += _skip_hostname(bufpos);

This is still open to a DOS attack, because `_skip_hostname` is very broken and will do out-of-bounds reads for many inputs. It also isn't supplied with the packet size, so it can't even detect out-of-bounds reads.

> @@ -108,8 +112,11 @@ static int _parse_dns_reply(uint8_t *buf, size_t len, void* addr_out, int family
         bufpos += 4; /* skip ttl */
 
         unsigned addrlen = ntohs(_get_short(bufpos));
+        if (addrlen > SOCK_DNS_MAX_ADDR_LEN) {
+            return -EINVAL;
+        }

This will cause issues with parsing valid DNS messages that contain a large RRset, like a combination of CNAME and A. (see e.g. `dig @ns2.ccchb.de A files.ccchb.de`)

-- 
You are receiving this because you are subscribed to this thread.
Reply to this email directly or view it on GitHub:
https://github.com/RIOT-OS/RIOT/pull/10740#pullrequestreview-190881337
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.riot-os.org/pipermail/notifications/attachments/20190109/d79406bb/attachment.html>


More information about the notifications mailing list