From mboxrd@z Thu Jan 1 00:00:00 1970 X-Spam-Checker-Version: SpamAssassin 3.4.4 (2020-01-24) on inbox.vuxu.org X-Spam-Level: X-Spam-Status: No, score=-1.0 required=5.0 tests=MAILING_LIST_MULTI, RCVD_IN_MSPIKE_H2 autolearn=ham autolearn_force=no version=3.4.4 Received: (qmail 31277 invoked from network); 22 Mar 2023 13:17:07 -0000 Received: from second.openwall.net (193.110.157.125) by inbox.vuxu.org with ESMTPUTF8; 22 Mar 2023 13:17:07 -0000 Received: (qmail 32166 invoked by uid 550); 22 Mar 2023 13:17:04 -0000 Mailing-List: contact musl-help@lists.openwall.com; run by ezmlm Precedence: bulk List-Post: List-Help: List-Unsubscribe: List-Subscribe: List-ID: Reply-To: musl@lists.openwall.com Received: (qmail 32131 invoked from network); 22 Mar 2023 13:17:03 -0000 Date: Wed, 22 Mar 2023 09:16:51 -0400 From: Rich Felker To: Alexey Kodanev Cc: musl@lists.openwall.com Message-ID: <20230322131651.GW4163@brightrain.aerifal.cx> References: <20230322122916.116088-1-aleksei.kodanev@bell-sw.com> MIME-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline In-Reply-To: <20230322122916.116088-1-aleksei.kodanev@bell-sw.com> User-Agent: Mutt/1.5.21 (2010-09-15) Subject: Re: [musl] [PATCH] dns: check length field in tcp response message On Wed, Mar 22, 2023 at 03:29:16PM +0300, Alexey Kodanev wrote: > The received length field in the message may be greater than the > size of the 'answer' buffer in which the message resides. Currently, > ABUF_SIZE is 768. And if we get a larger 'alen', it will result > in an out-of-bounds reading during parsing, because 'alen' will > be passed to __dns_parse() later: > > __dns_parse(abuf[i], alens[i], dns_parse_callback, &ctx); > > To fix this, limit 'alen' to the size of the received buffer. > --- > src/network/res_msend.c | 1 + > 1 file changed, 1 insertion(+) > > diff --git a/src/network/res_msend.c b/src/network/res_msend.c > index fef7e3a2..291853de 100644 > --- a/src/network/res_msend.c > +++ b/src/network/res_msend.c > @@ -297,6 +297,7 @@ int __res_msend_rc(int nqueries, const unsigned char *const *queries, > int rcode = answers[i][3] & 15; > if (rcode != 0 && rcode != 3) > goto out; > + if (alen > asize) alen = asize; > > /* Storing the length here commits the accepted answer. > * Immediately close TCP socket so as not to consume > -- > 2.25.1 This is incorrect. It breaks res_send, whose contract is to return the full answer length even if it did not fit, so that the caller can retry with the appropriate size. Instead, name_from_dns just needs to clamp the value before passing it to __dns_parse. Rich