Age | Commit message (Collapse) | Author | Lines |
|
DNS parsing callbacks pass the response buffer end instead of the actual
response end to dn_expand, so a malformed DNS response can use message
compression to make dn_expand jump past the response end and attempt to
parse uninitialized parts of that buffer, which might succeed and return
garbage.
|
|
There are several issues with range checks in this function:
* The question section parsing loop can read up to two out-of-bounds
bytes before doing the range check and bailing out.
* The answer section parsing loop, in addition to the same issue as
above, uses the wrong length in the range check that doesn't prevent
OOB reads when computing len later.
* The len range check before calling the callback is off by 10. Also,
p+len can overflow in a (probably theoretical) case when p is within
2^16 from UINTPTR_MAX.
Because __dns_parse is used only with stack-allocated buffers, such
small overreads can't result in a segfault. The first two also don't
affect the function result, but the last one may result in getaddrinfo
incorrectly succeeding and returning up to 10 bytes past the
response buffer as a part of the IP address, and in (canon) name
returned by getaddrinfo/getnameinfo being affected by memory past the
response buffer (because dn_expand might interpret it as a pointer).
|
|
the source file for this function is completely standalone, but it
doesn't seem worth adding a header just for it, so declare it in
lookup.h for now.
|
|
since the buffer passed always has an actual size of 512 bytes, the
maximum possible response packet size, no out-of-bounds access was
possible; however, reading past the end of the valid portion of the
packet could cause the parser to attempt to process junk as answer
content.
|
|
this is the third phase of the "resolver overhaul" project.
this commit removes all of the old dns code, and switches the
__lookup_name backend (used by getaddrinfo, etc.) and the getnameinfo
function to use the newly implemented __res_mkquery and __res_msend
interfaces. for parsing the results, a new callback-based __dns_parse
function, based on __dns_get_rr from the old dns code, is used.
|