From mboxrd@z Thu Jan  1 00:00:00 1970
X-Spam-Checker-Version: SpamAssassin 3.4.4 (2020-01-24) on inbox.vuxu.org
X-Spam-Level: 
X-Spam-Status: No, score=-0.8 required=5.0 tests=DKIM_INVALID,DKIM_SIGNED,
	MAILING_LIST_MULTI,NICE_REPLY_A,RCVD_IN_MSPIKE_H2 autolearn=ham
	autolearn_force=no version=3.4.4
Received: (qmail 2572 invoked from network); 22 Mar 2023 13:48:16 -0000
Received: from second.openwall.net (193.110.157.125)
  by inbox.vuxu.org with ESMTPUTF8; 22 Mar 2023 13:48:16 -0000
Received: (qmail 21635 invoked by uid 550); 22 Mar 2023 13:48:13 -0000
Mailing-List: contact musl-help@lists.openwall.com; run by ezmlm
Precedence: bulk
List-Post: <mailto:musl@lists.openwall.com>
List-Help: <mailto:musl-help@lists.openwall.com>
List-Unsubscribe: <mailto:musl-unsubscribe@lists.openwall.com>
List-Subscribe: <mailto:musl-subscribe@lists.openwall.com>
List-ID: <musl.lists.openwall.com>
Reply-To: musl@lists.openwall.com
Received: (qmail 21597 invoked from network); 22 Mar 2023 13:48:13 -0000
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
        d=bell-sw-com.20210112.gappssmtp.com; s=20210112; t=1679492881;
        h=content-transfer-encoding:in-reply-to:subject:from:references:cc:to
         :content-language:user-agent:mime-version:date:message-id:from:to:cc
         :subject:date:message-id:reply-to;
        bh=kZzgBiPawVud4C6e/0GHbR+HEbIAI8sexssOR41Ek8Q=;
        b=2tjZq9XuwwipTaCkOToEXFKoExVHR5u/J7fa6UQ2GyMmZ7WQFL1vBL0ChMWY5r9nZP
         SUFEYMuoTYzNFY+0lJGAjI9yamw/0XhgUatSI13ddf4P2cx1fCqtRRgOJ3oyGeKUowHX
         02yLIhTE/NR6KlVQQKuoh3MzwiRt0VDqswxt2sPeCf6jUuKxXn0q1URUt2OBXY4NxHxD
         DSt8y22MsQZWvuvX6+yOxb2whd3qgxPod9soB211wXv85Fp5TmqU72sEMbcj/zhh7t1p
         l5LABAxE12XzahTd+pBvSKARdCRHY4SLPnKxr502ctYwhJWR3HBaA+HULHAmqqX7x+NW
         JsOQ==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
        d=1e100.net; s=20210112; t=1679492881;
        h=content-transfer-encoding:in-reply-to:subject:from:references:cc:to
         :content-language:user-agent:mime-version:date:message-id
         :x-gm-message-state:from:to:cc:subject:date:message-id:reply-to;
        bh=kZzgBiPawVud4C6e/0GHbR+HEbIAI8sexssOR41Ek8Q=;
        b=cdX3dQQyWnL1fw6eG1O8r4vRUKOP0zLHSOr/6WGVFtJmqo3o5dFHdJVIXjqPtTeKAi
         Z8UUKgFIidaQv96XJCPvKHMRRkjbbfnSHagrdHxo+5H+J7RaYN/iQE/pTAP0lYGratxx
         jHke9ajWlg1EeexY5wY3ScPUNJXtcfWwiojGmzY5PLJnX6qmGobSkVS6085BhTCYDrtH
         qQXVAV3Xa3xC2E/JH7hpIspyjs3gQ6kmvRZkn1FKIX18m4dSevLqU96TxiFMZyh7exo1
         5D2Kv6MiX/DI2L37rRVtAaWQXycsZopR2GVtQX9AJdjf/lwNagaShKyC9A9leB77cWyk
         f5kg==
X-Gm-Message-State: AO0yUKUj7whCcdA20f2Av7KxwEfKI2YIDfVJjsKDNUGlCP5geekV7YTL
	7U7xydcLMS4ogyPNrNZMEX/ealdxXwTzM8083g==
X-Google-Smtp-Source: AK7set8xS8HAMzs79SPcsU+Ztym9r7AYX18qfM4D4RqgoPYM855DUHleJL5phJhZZYrErRTYA9vQvw==
X-Received: by 2002:a2e:95d5:0:b0:29b:2527:4d0f with SMTP id y21-20020a2e95d5000000b0029b25274d0fmr2070640ljh.18.1679492881331;
        Wed, 22 Mar 2023 06:48:01 -0700 (PDT)
Message-ID: <4c0cc3b7-7b2b-f9c3-6a1a-6bb44c28d71d@bell-sw.com>
Date: Wed, 22 Mar 2023 16:48:00 +0300
MIME-Version: 1.0
User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:102.0) Gecko/20100101
 Thunderbird/102.8.0
Content-Language: en-US
To: Rich Felker <dalias@libc.org>
Cc: musl@lists.openwall.com
References: <20230322122916.116088-1-aleksei.kodanev@bell-sw.com>
 <20230322131651.GW4163@brightrain.aerifal.cx>
From: Alexey Kodanev <aleksei.kodanev@bell-sw.com>
In-Reply-To: <20230322131651.GW4163@brightrain.aerifal.cx>
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 7bit
Subject: Re: [musl] [PATCH] dns: check length field in tcp response message

Hi Rich,
On 22.03.2023 16:16, Rich Felker wrote:
> On Wed, Mar 22, 2023 at 03:29:16PM +0300, Alexey Kodanev wrote:
>> The received length field in the message may be greater than the
>> size of the 'answer' buffer in which the message resides. Currently,
>> ABUF_SIZE is 768. And if we get a larger 'alen', it will result
>> in an out-of-bounds reading during parsing, because 'alen' will
>> be passed to __dns_parse() later:
>>
>>     __dns_parse(abuf[i], alens[i], dns_parse_callback, &ctx);
>>
>> To fix this, limit 'alen' to the size of the received buffer.
>> ---
>>  src/network/res_msend.c | 1 +
>>  1 file changed, 1 insertion(+)
>>
>> diff --git a/src/network/res_msend.c b/src/network/res_msend.c
>> index fef7e3a2..291853de 100644
>> --- a/src/network/res_msend.c
>> +++ b/src/network/res_msend.c
>> @@ -297,6 +297,7 @@ int __res_msend_rc(int nqueries, const unsigned char *const *queries,
>>  			int rcode = answers[i][3] & 15;
>>  			if (rcode != 0 && rcode != 3)
>>  				goto out;
>> +			if (alen > asize) alen = asize;
>>  
>>  			/* Storing the length here commits the accepted answer.
>>  			 * Immediately close TCP socket so as not to consume
>> -- 
>> 2.25.1
> 
> This is incorrect. It breaks res_send, whose contract is to return the
> full answer length even if it did not fit, so that the caller can
> retry with the appropriate size.
> 
> Instead, name_from_dns just needs to clamp the value before passing it
> to __dns_parse.
> 

OK, I see, something like this or better with sizeof *abuf?

diff --git a/src/network/lookup_name.c b/src/network/lookup_name.c
index 5f6867cb..65b3e8fb 100644
--- a/src/network/lookup_name.c
+++ b/src/network/lookup_name.c
@@ -175,6 +175,7 @@ static int name_from_dns(struct address buf[static MAXADDRS], char canon[static
                if (alens[i] < 4 || (abuf[i][3] & 15) == 2) return EAI_AGAIN;
                if ((abuf[i][3] & 15) == 3) return 0;
                if ((abuf[i][3] & 15) != 0) return EAI_FAIL;
+               if (alens[i] > ABUF_SIZE) alens[i] = ABUF_SIZE;
        }

        for (i=nq-1; i>=0; i--) {