On Sun, Jul 16, 2023 at 08:58:04AM +0200, Markus Wichmann wrote:
> Hi all,
> 
> __dns_parse() must skip over all domain names in the package as part of
> its operation, and it also checks if the domain names end in a pointer,
> and the pointer has an offset larger than 510, because then it also
> returns failure immediately. That is probably from before the TCP merge,
> when the response buffer was a fixed 512 bytes. Now it is 768, so
> pointers can have an offset of up to 766. Except they cannot have an
> offset larger than rlen-2 in any case.

Following commit 12590c8bbd04ea484cee86812e2258fbdfca0e59, does the
attached fix seem ok?

> I am not quite sure what the point of invalid pointer detection in
> __dns_parse() is, given that if the name ever actually matters,
> __dn_expand() will reject it in its operation. But the hardcoded limit
> in __dns_parse() means that packages from TCP cannot contain pointers
> that reference the last third of the buffer.
> 
> On a related note, I see that a malformed packet can send __dn_expand()
> into an infinite loop: If a pointer points to another pointer, they can
> form a loop. The loop can be arbitrarily complex, so history tracking
> would do no good. I think it would be a good idea to reject pointers to
> pointers in that function. Because then every pointer must cause at
> least two bytes to be written to the destination buffer, so it would be
> exhausted at some point, and that's also an abort condition.

The comment on line 11 indicates how the loop is precluded. Do you
think it's incorrect?

Rich