From mboxrd@z Thu Jan 1 00:00:00 1970 X-Spam-Checker-Version: SpamAssassin 3.4.4 (2020-01-24) on inbox.vuxu.org X-Spam-Level: X-Spam-Status: No, score=-1.0 required=5.0 tests=MAILING_LIST_MULTI, RCVD_IN_MSPIKE_H2 autolearn=ham autolearn_force=no version=3.4.4 Received: (qmail 4722 invoked from network); 22 Mar 2023 14:07:51 -0000 Received: from second.openwall.net (193.110.157.125) by inbox.vuxu.org with ESMTPUTF8; 22 Mar 2023 14:07:51 -0000 Received: (qmail 1426 invoked by uid 550); 22 Mar 2023 14:07:49 -0000 Mailing-List: contact musl-help@lists.openwall.com; run by ezmlm Precedence: bulk List-Post: List-Help: List-Unsubscribe: List-Subscribe: List-ID: Reply-To: musl@lists.openwall.com Received: (qmail 1388 invoked from network); 22 Mar 2023 14:07:47 -0000 Date: Wed, 22 Mar 2023 10:07:35 -0400 From: Rich Felker To: Alexey Kodanev Cc: musl@lists.openwall.com Message-ID: <20230322140735.GX4163@brightrain.aerifal.cx> References: <20230322122916.116088-1-aleksei.kodanev@bell-sw.com> <20230322131651.GW4163@brightrain.aerifal.cx> <4c0cc3b7-7b2b-f9c3-6a1a-6bb44c28d71d@bell-sw.com> MIME-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline In-Reply-To: <4c0cc3b7-7b2b-f9c3-6a1a-6bb44c28d71d@bell-sw.com> User-Agent: Mutt/1.5.21 (2010-09-15) Subject: Re: [musl] [PATCH] dns: check length field in tcp response message On Wed, Mar 22, 2023 at 04:48:00PM +0300, Alexey Kodanev wrote: > Hi Rich, > On 22.03.2023 16:16, Rich Felker wrote: > > On Wed, Mar 22, 2023 at 03:29:16PM +0300, Alexey Kodanev wrote: > >> The received length field in the message may be greater than the > >> size of the 'answer' buffer in which the message resides. Currently, > >> ABUF_SIZE is 768. And if we get a larger 'alen', it will result > >> in an out-of-bounds reading during parsing, because 'alen' will > >> be passed to __dns_parse() later: > >> > >> __dns_parse(abuf[i], alens[i], dns_parse_callback, &ctx); > >> > >> To fix this, limit 'alen' to the size of the received buffer. > >> --- > >> src/network/res_msend.c | 1 + > >> 1 file changed, 1 insertion(+) > >> > >> diff --git a/src/network/res_msend.c b/src/network/res_msend.c > >> index fef7e3a2..291853de 100644 > >> --- a/src/network/res_msend.c > >> +++ b/src/network/res_msend.c > >> @@ -297,6 +297,7 @@ int __res_msend_rc(int nqueries, const unsigned char *const *queries, > >> int rcode = answers[i][3] & 15; > >> if (rcode != 0 && rcode != 3) > >> goto out; > >> + if (alen > asize) alen = asize; > >> > >> /* Storing the length here commits the accepted answer. > >> * Immediately close TCP socket so as not to consume > >> -- > >> 2.25.1 > > > > This is incorrect. It breaks res_send, whose contract is to return the > > full answer length even if it did not fit, so that the caller can > > retry with the appropriate size. > > > > Instead, name_from_dns just needs to clamp the value before passing it > > to __dns_parse. > > > > OK, I see, something like this or better with sizeof *abuf? > > diff --git a/src/network/lookup_name.c b/src/network/lookup_name.c > index 5f6867cb..65b3e8fb 100644 > --- a/src/network/lookup_name.c > +++ b/src/network/lookup_name.c > @@ -175,6 +175,7 @@ static int name_from_dns(struct address buf[static MAXADDRS], char canon[static > if (alens[i] < 4 || (abuf[i][3] & 15) == 2) return EAI_AGAIN; > if ((abuf[i][3] & 15) == 3) return 0; > if ((abuf[i][3] & 15) != 0) return EAI_FAIL; > + if (alens[i] > ABUF_SIZE) alens[i] = ABUF_SIZE; > } > > for (i=nq-1; i>=0; i--) { I don't think it matters a whole lot which you use. sizeof abuf[i] might be the most clear. But I would move it down to the next loop that's about use of the results rather than the error-checking loop. Rich