dns: parser reads into garbage on misreported packet size #468
Conversation
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
bwillcox
force-pushed
the
bad_packet_size
branch
from
6af668f to
e6966e2
Compare
bwillcox
changed the title
bwillcox
force-pushed
the
bad_packet_size
branch
from
e6966e2 to
f1037c1
Compare
bwillcox
changed the title
|
Nice one. I'm curious whether you found this in the wild and how it would actually come to be? e.g. what would the trailer padding be in a real packet. Regardless, this seems reasonable so merging! |
It's from the wild. We don't understand the bad packet size root cause. It only happens on some networks and one operating system and is only reproducible in some environments. The bad data seems random - mostly zeroes. This was a major trouble maker! :) |
laudrup
pushed a commit
to laudrup/libtins
that referenced
this pull request
Nov 23, 2022
…#468) Co-authored-by: Bill Willcox <billwcorp@gmail.com>
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.
The unit test demonstrates the following issue. The DNS packet is valid, but the packet size is misreported to be larger than the size of the valid packet. Attempting to get RR's for the additional section causes the parser to read into garbage past the end of the packet. This results in a malformed packet exception.
There is no language in the spec that addresses this use case. However, the RR counts in the header provide sufficient data for the parser to know when it could stop parsing.
Added code to limit RR fetch to count specified in header.