From mboxrd@z Thu Jan 1 00:00:00 1970 X-Spam-Checker-Version: SpamAssassin 3.4.4 (2020-01-24) on inbox.vuxu.org X-Spam-Level: X-Spam-Status: No, score=-3.1 required=5.0 tests=DKIM_INVALID,DKIM_SIGNED, FREEMAIL_FROM,MAILING_LIST_MULTI,RCVD_IN_DNSWL_MED,RCVD_IN_MSPIKE_H3, RCVD_IN_MSPIKE_WL,T_SCC_BODY_TEXT_LINE autolearn=ham autolearn_force=no version=3.4.4 Received: (qmail 22738 invoked from network); 16 Jul 2023 06:58:23 -0000 Received: from second.openwall.net (193.110.157.125) by inbox.vuxu.org with ESMTPUTF8; 16 Jul 2023 06:58:23 -0000 Received: (qmail 30079 invoked by uid 550); 16 Jul 2023 06:58:17 -0000 Mailing-List: contact musl-help@lists.openwall.com; run by ezmlm Precedence: bulk List-Post: List-Help: List-Unsubscribe: List-Subscribe: List-ID: Reply-To: musl@lists.openwall.com Received: (qmail 30047 invoked from network); 16 Jul 2023 06:58:16 -0000 DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=gmx.net; s=s31663417; t=1689490685; x=1690095485; i=nullplan@gmx.net; bh=/TBLudlz+JvfJhlXyDds5UAv6pr8lP3JtVw2La+qPq8=; h=X-UI-Sender-Class:Date:From:To:Subject; b=IDth290vQDLp30NpVEvdwbY3Z2oeUDcuqB6bjylBUgp7eWAd6GDBZ0JMhJ5J8c/bV9cS2Xh /zyxsUGiKDQ+l5/5mf1Nob7wvuuPpid/ZykVJgNCcZS0qm382dT7JZ3ww4LH7NjCGnVeWXv3E UQ4QtXK25y0AB5/zAo7hqhemzDM2WrJUTIRObH6zq4sObxPOk/HFUm14fBspPRc+R0aLPY39P 1q5dvG6djeCJVJu8rED648DJBsflmmdhXz6Pw1oah7TRQcXqankp51S687gtV+y1fAyOeUcUH nk+XZDbIMh6LX8klKEX+JLuAv/aIqBok+32cout06sDdmtGtRsdQ== X-UI-Sender-Class: 724b4f7f-cbec-4199-ad4e-598c01a50d3a Date: Sun, 16 Jul 2023 08:58:04 +0200 From: Markus Wichmann To: musl@lists.openwall.com Message-ID: MIME-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline X-Provags-ID: V03:K1:GZYdm7b/C/7b8b2jeyLFtBdrGP8V5K8ca1kMM+/KHIh5C7DFhk/ mInp7DaMaviX3TxN+lKchGUvFa/LylBjl3mJBHMk2HmEhPbwDpIH0OTsuSnFNKo+ysgsA+X PWrR6q7Q8zC4hR69MrYPRFW3TSfIIX9NHLfIimJkvl1nCA09BhpECtLCi9vP2Uy0lnHS931 vM9SNC9mUb2l+6PhAHC1g== UI-OutboundReport: notjunk:1;M01:P0:7JvcwQ8UGSQ=;syAXDp8JiGSGge8sLkMPTx10ewL BPdqsW9+zjdrr60zApSaffsPJBKkaxGslhXs83XnyCj4/mYEy7lf4v1rqSmGmUe65+uHV5pr1 xz1PLRcHMi6pERMS9NAOkyLxr8gorQTKw/qmAKr8DJfRcijV5RJJBgnLK9waLrp/vjWtzyP/h olsZip3ZCyvole7MZoxp87d5B+HiBkpS9eXJDLNn0l9OdPLxUR7J/S8ypuOoxDMsVOsqO2ZNX DjW/eHgUnflH3On+DRfH6pCBqBZ5yvHufIF3Z+mPaOcgDTvV6tCQLg98uZiypPWsEFMR24HvJ 4RTNUYUniSdqQr2kmfoJw1Ec0T+Wn/N98hSgWxWnn7PJ9mVvsHLHsNoDcHr4DHEDUMEIeq+Rc Jo26PCMQL9g5+Xb+iCLhkaB1W6qR8R7lfrefIMYpbYGBa2cjg1I2A8F/wD6y06ztf1PPTwKI/ Affhp0BPFx2U+ipc7ZujrGM+nE9G4/BeA5fMCD6LqBVa/I8bBmOe4lNWbJbYOR9I0M3SIPtNd o7gd4IWh8AP65vij9Wz5qG/yPxNmR5w5JTlCHLqw35JD47IUzYDJlT4yRU0MAvUKL20Hn2kIS dhyxbRjdIXzK7zcD5cJ/lOFeN671x8EJ9B2gLuQxE0+Iig66r/LTo8warB7XxbJYZE2fW39JA nciUGmNwjGCFzT9BkwOn+vAmqJhTF34j60/N/XZhEUBuH2847Ynl92rrPEd4lA1UPOzRsXaVE 6M7tld7m+1T84X0RlqElrKGfgEbmXjdATtwvjs30G1vXLvJ24wB+nrJWo2LwjmfW+/aCq+hMU UrCaIoeeDofshFo3AqtaHgx9D0/6fPy8r0w1NH8hUQksGfoHINUEqzXYbs0Am2UDmVOdZOR5W fhUj00LjUfTXs2hHZ0FHb8z7Z9KQ8DXhL2DZ9+ZCgQa5XwmFISZnNHaLXDfmJZU0wZveNFZ8D 3MP+gYImzivG9lOsSv89J2vFbA8= Subject: [musl] Erroneous rejection of pointers in __dns_parse Hi all, __dns_parse() must skip over all domain names in the package as part of its operation, and it also checks if the domain names end in a pointer, and the pointer has an offset larger than 510, because then it also returns failure immediately. That is probably from before the TCP merge, when the response buffer was a fixed 512 bytes. Now it is 768, so pointers can have an offset of up to 766. Except they cannot have an offset larger than rlen-2 in any case. I am not quite sure what the point of invalid pointer detection in __dns_parse() is, given that if the name ever actually matters, __dn_expand() will reject it in its operation. But the hardcoded limit in __dns_parse() means that packages from TCP cannot contain pointers that reference the last third of the buffer. On a related note, I see that a malformed packet can send __dn_expand() into an infinite loop: If a pointer points to another pointer, they can form a loop. The loop can be arbitrarily complex, so history tracking would do no good. I think it would be a good idea to reject pointers to pointers in that function. Because then every pointer must cause at least two bytes to be written to the destination buffer, so it would be exhausted at some point, and that's also an abort condition. Ciao, Markus