From: Felix Janda <felix.janda@posteo.de>
To: musl@lists.openwall.com
Subject: Re: Merging ns_parse from Alpine
Date: Sun, 14 Dec 2014 08:38:15 +0100 [thread overview]
Message-ID: <20141214073650.GA1330@euler> (raw)
In-Reply-To: <20141214004320.GA17102@brightrain.aerifal.cx>
Rich Felker wrote:
> I'm working on merging Timo's patch for ns_parse:
>
> http://git.alpinelinux.org/cgit/aports/tree/main/musl/1001-add-basic-dns-record-parsing-functions.patch?id=81d50064c335467fdfd80368bac6707d70db1af7
>
> The first issue that came up in the process is that arpa/nameser.h,
> which was previously not used by musl itself and really should never
> have been accepted in its current form, is full of junk like
> statement-expressions. Including it in a file that will be compiled
> with musl adds build dependency on these nonstandard features. I
> cleaned that up with no problem (just un-inlining the macros since
> we're adding function versions anyway), but there are a few more
> issues.
The NS_GET* macros still seem to be used a lot in the code.
> The main issue is that the parser functions have pointer arithmetic
> overflows (UB) checking against the end-of-message pointer. I've tried
> to fix that and I'm attaching a patch for review, along with my
> version of the fixed file. I'd appreciate comments on whether I missed
> anything.
>
> Other changes were mostly cosmetic or at least mechanical.
>
> Rich
I didn't notice any missed checks but I think that some checks can be
simplified:
[..]
> int ns_initparse(const unsigned char *msg, int msglen, ns_msg *handle)
> {
> int i, r;
>
> handle->_msg = msg;
> handle->_eom = msg + msglen;
> if (msglen < (2 + ns_s_max) * NS_INT16SZ) goto bad;
> NS_GET16(handle->_id, msg);
> NS_GET16(handle->_flags, msg);
> for (i = 0; i < ns_s_max; i++) {
> if (NS_INT16SZ > handle->_eom - msg) goto bad;
Isn't this uneccessary given the above check?
> NS_GET16(handle->_counts[i], msg);
> }
> for (i = 0; i < ns_s_max; i++) {
> if (handle->_counts[i]) {
> handle->_sections[i] = msg;
> r = ns_skiprr(msg, handle->_eom, i, handle->_counts[i]);
> if (r < 0) return -1;
> msg += r;
> } else {
> handle->_sections[i] = NULL;
> }
> }
> if (msg != handle->_eom) goto bad;
> handle->_sect = ns_s_max;
> handle->_rrnum = -1;
> handle->_msg_ptr = NULL;
> return 0;
> bad:
> errno = EMSGSIZE;
> return -1;
> }
>
> int ns_skiprr(const unsigned char *ptr, const unsigned char *eom, ns_sect section, int count)
> {
> const unsigned char *p = ptr;
> int r;
>
> while (count--) {
> r = dn_skipname(p, eom);
> if (r < 0) goto bad;
> if (r + 2 * NS_INT16SZ > eom - p) goto bad;
> p += r + 2 * NS_INT16SZ;
> if (section != ns_s_qd) {
> if (NS_INT32SZ + NS_INT16SZ > eom - p) goto bad;
> p += NS_INT32SZ;
> NS_GET16(r, p);
> if (r > eom - p) goto bad;
Couldn't the two checks be combined into one?
> p += r;
> }
> }
> return ptr - p;
> bad:
> errno = EMSGSIZE;
> return -1;
> }
>
> int ns_parserr(ns_msg *handle, ns_sect section, int rrnum, ns_rr *rr)
> {
> int r;
>
> if (section < 0 || section >= ns_s_max) goto bad;
> if (section != handle->_sect) {
> handle->_sect = section;
> handle->_rrnum = 0;
> handle->_msg_ptr = handle->_sections[section];
> }
> if (rrnum == -1) rrnum = handle->_rrnum;
> if (rrnum < 0 || rrnum >= handle->_counts[section]) goto bad;
> if (rrnum < handle->_rrnum) {
> handle->_rrnum = 0;
> handle->_msg_ptr = handle->_sections[section];
> }
> if (rrnum > handle->_rrnum) {
> r = ns_skiprr(handle->_msg_ptr, handle->_eom, section, rrnum - handle->_rrnum);
> if (r < 0) return -1;
> handle->_msg_ptr += r;
> handle->_rrnum = rrnum;
> }
> r = dn_expand(handle->_msg, handle->_eom, handle->_msg_ptr, rr->name, NS_MAXDNAME);
> if (r < 0) return -1;
dn_expand doesn't set errno.
> handle->_msg_ptr += r;
> if (2 * NS_INT16SZ > handle->_eom - handle->_msg_ptr) goto size;
> NS_GET16(rr->type, handle->_msg_ptr);
> NS_GET16(rr->rr_class, handle->_msg_ptr);
> if (section != ns_s_qd) {
> if (NS_INT32SZ + NS_INT16SZ > handle->_eom - handle->_msg_ptr) goto size;
> NS_GET32(rr->ttl, handle->_msg_ptr);
> NS_GET16(rr->rdlength, handle->_msg_ptr);
> if (rr->rdlength > handle->_eom - handle->_msg_ptr) goto size;
> rr->rdata = handle->_msg_ptr;
> handle->_msg_ptr += rr->rdlength;
> } else {
> rr->ttl = 0;
> rr->rdlength = 0;
> rr->rdata = NULL;
> }
> handle->_rrnum++;
> if (handle->_rrnum > handle->_counts[section]) {
> handle->_sect = section + 1;
> if (handle->_sect == ns_s_max) {
> handle->_rrnum = -1;
> handle->_msg_ptr = NULL;
> } else {
> handle->_rrnum = 0;
> }
> }
> return 0;
> bad:
> errno = ENODEV;
> return -1;
> size:
> errno = EMSGSIZE;
> return -1;
> }
>
> int ns_name_uncompress(const unsigned char *msg, const unsigned char *eom,
> const unsigned char *src, char *dst, size_t dstsiz)
> {
> int r;
> r = dn_expand(msg, eom, src, dst, dstsiz);
> if (r < 0) errno = EMSGSIZE;
> return r;
> }
next prev parent reply other threads:[~2014-12-14 7:38 UTC|newest]
Thread overview: 5+ messages / expand[flat|nested] mbox.gz Atom feed top
2014-12-14 0:43 Rich Felker
2014-12-14 7:38 ` Felix Janda [this message]
2014-12-14 17:23 ` Rich Felker
2014-12-14 19:05 ` Felix Janda
2014-12-14 22:56 ` Rich Felker
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=20141214073650.GA1330@euler \
--to=felix.janda@posteo.de \
--cc=musl@lists.openwall.com \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
Code repositories for project(s) associated with this public inbox
https://git.vuxu.org/mirror/musl/
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).