musl/src/network/dns_parse.c, branch v1.2.6 musl - an implementation of the standard library for Linux-based systems remove arbitrary limit from dns result parsing 2023-11-06T18:50:21+00:00 Quentin Rameau quinq@fifth.space 2023-10-04T19:29:43+00:00 8c086e767468cc11c6d58d6a92d8511c2bd12024 The name resolution would abort when getting more than 63 records per request, due to what seems to be a left-over from the original code. This check was non-breaking but spurious prior to TCP fallback support, since any 512-byte packet with more than 63 records was necessarily malformed. But now, it wrongly rejects valid results. Reported by Daniel Stefanik in Alpine Linux aports issue 15320. 
The name resolution would abort when getting more than 63 records per
request, due to what seems to be a left-over from the original code.
This check was non-breaking but spurious prior to TCP fallback
support, since any 512-byte packet with more than 63 records was
necessarily malformed. But now, it wrongly rejects valid results.

Reported by Daniel Stefanik in Alpine Linux aports issue 15320.
fix rejection of dns responses with pointers past 512 byte offset 2023-07-17T22:03:38+00:00 Rich Felker dalias@aerifal.cx 2023-07-17T22:03:38+00:00 83b858f83b658bd34eca5d8ad4d145f673ae7e5e the __dns_parse code used by the stub resolver traditionally included code to reject label pointers to offsets past a 512 byte limit, despite never processing the label contents, only stepping over them. when commit 51d4669fb97782f6a66606da852b5afd49a08001 added support for tcp fallback, this limit was overlooked, and as a result, it was at least theoretically possible for some valid large answers to be rejected on account of these offsets. since the limit was never serving any useful purpose, just remove it. 
the __dns_parse code used by the stub resolver traditionally included
code to reject label pointers to offsets past a 512 byte limit,
despite never processing the label contents, only stepping over them.
when commit 51d4669fb97782f6a66606da852b5afd49a08001 added support for
tcp fallback, this limit was overlooked, and as a result, it was at
least theoretically possible for some valid large answers to be
rejected on account of these offsets.

since the limit was never serving any useful purpose, just remove it.
prevent CNAME/PTR parsing from reading data past the response end 2023-02-27T15:03:06+00:00 Alexey Izbyshev izbyshev@ispras.ru 2023-01-29T16:46:51+00:00 9b132e556774c744f9052581d2d8d0fab417e97c DNS parsing callbacks pass the response buffer end instead of the actual response end to dn_expand, so a malformed DNS response can use message compression to make dn_expand jump past the response end and attempt to parse uninitialized parts of that buffer, which might succeed and return garbage. 
DNS parsing callbacks pass the response buffer end instead of the actual
response end to dn_expand, so a malformed DNS response can use message
compression to make dn_expand jump past the response end and attempt to
parse uninitialized parts of that buffer, which might succeed and return
garbage.
fix out-of-bounds reads in __dns_parse 2023-02-27T15:01:29+00:00 Alexey Izbyshev izbyshev@ispras.ru 2023-01-27T21:17:37+00:00 12590c8bbd04ea484cee86812e2258fbdfca0e59 There are several issues with range checks in this function: * The question section parsing loop can read up to two out-of-bounds bytes before doing the range check and bailing out. * The answer section parsing loop, in addition to the same issue as above, uses the wrong length in the range check that doesn't prevent OOB reads when computing len later. * The len range check before calling the callback is off by 10. Also, p+len can overflow in a (probably theoretical) case when p is within 2^16 from UINTPTR_MAX. Because __dns_parse is used only with stack-allocated buffers, such small overreads can't result in a segfault. The first two also don't affect the function result, but the last one may result in getaddrinfo incorrectly succeeding and returning up to 10 bytes past the response buffer as a part of the IP address, and in (canon) name returned by getaddrinfo/getnameinfo being affected by memory past the response buffer (because dn_expand might interpret it as a pointer). 
There are several issues with range checks in this function:

* The question section parsing loop can read up to two out-of-bounds
  bytes before doing the range check and bailing out.

* The answer section parsing loop, in addition to the same issue as
  above, uses the wrong length in the range check that doesn't prevent
  OOB reads when computing len later.

* The len range check before calling the callback is off by 10. Also,
  p+len can overflow in a (probably theoretical) case when p is within
  2^16 from UINTPTR_MAX.

Because __dns_parse is used only with stack-allocated buffers, such
small overreads can't result in a segfault. The first two also don't
affect the function result, but the last one may result in getaddrinfo
incorrectly succeeding and returning up to 10 bytes past the
response buffer as a part of the IP address, and in (canon) name
returned by getaddrinfo/getnameinfo being affected by memory past the
response buffer (because dn_expand might interpret it as a pointer).
move and deduplicate declarations of __dns_parse to make it checkable 2018-09-12T18:34:29+00:00 Rich Felker dalias@aerifal.cx 2018-09-07T19:51:00+00:00 c98bf5b8691b21373ff8d9698e89a75acdefdc75 the source file for this function is completely standalone, but it doesn't seem worth adding a header just for it, so declare it in lookup.h for now. 
the source file for this function is completely standalone, but it
doesn't seem worth adding a header just for it, so declare it in
lookup.h for now.
fix some validation checks in dns response parsing code 2014-06-03T05:43:29+00:00 Rich Felker dalias@aerifal.cx 2014-06-03T05:43:29+00:00 ac2a7893427b6c94f05609d214178f8d5a18b333 since the buffer passed always has an actual size of 512 bytes, the maximum possible response packet size, no out-of-bounds access was possible; however, reading past the end of the valid portion of the packet could cause the parser to attempt to process junk as answer content. 
since the buffer passed always has an actual size of 512 bytes, the
maximum possible response packet size, no out-of-bounds access was
possible; however, reading past the end of the valid portion of the
packet could cause the parser to attempt to process junk as answer
content.
switch standard resolver functions to use the new dns backend 2014-06-02T08:47:45+00:00 Rich Felker dalias@aerifal.cx 2014-06-02T08:47:45+00:00 3330198060c7b3165a2fba530ffde5fc6706ecf2 this is the third phase of the "resolver overhaul" project. this commit removes all of the old dns code, and switches the __lookup_name backend (used by getaddrinfo, etc.) and the getnameinfo function to use the newly implemented __res_mkquery and __res_msend interfaces. for parsing the results, a new callback-based __dns_parse function, based on __dns_get_rr from the old dns code, is used. 
this is the third phase of the "resolver overhaul" project.

this commit removes all of the old dns code, and switches the
__lookup_name backend (used by getaddrinfo, etc.) and the getnameinfo
function to use the newly implemented __res_mkquery and __res_msend
interfaces. for parsing the results, a new callback-based __dns_parse
function, based on __dns_get_rr from the old dns code, is used.