8597553f96
- Support an arbitrary number of search domains (#168253) - Detect and apply /etc/resolv.conf changes in libresolv (#1374239) - CVE-2015-5180: DNS stub resolver crash with crafted record type (#1251403)
387 lines
15 KiB
Diff
387 lines
15 KiB
Diff
commit c803cb9b24c6cea15698768e4301e963b98e742c
|
|
Author: Florian Weimer <fweimer@redhat.com>
|
|
Date: Thu Apr 13 11:56:28 2017 +0200
|
|
|
|
resolv: Support an exactly sized buffer in ns_name_pack [BZ #21359]
|
|
|
|
This bug did not affect name resolution because those functions
|
|
indirectly call ns_name_pack with a buffer which is always larger
|
|
than the generated query packet, even in the case of the
|
|
longest-possible domain name.
|
|
|
|
diff --git a/resolv/Makefile b/resolv/Makefile
|
|
index db287947a4f7e9a6..d41fd4603d7b7d77 100644
|
|
--- a/resolv/Makefile
|
|
+++ b/resolv/Makefile
|
|
@@ -44,6 +44,7 @@ tests += \
|
|
tst-bug18665 \
|
|
tst-bug18665-tcp \
|
|
tst-ns_name \
|
|
+ tst-ns_name_compress \
|
|
tst-res_hconf_reorder \
|
|
tst-res_use_inet6 \
|
|
tst-resolv-basic \
|
|
@@ -142,6 +143,7 @@ $(objpfx)tst-resolv-canonname: \
|
|
|
|
$(objpfx)tst-ns_name: $(objpfx)libresolv.so
|
|
$(objpfx)tst-ns_name.out: tst-ns_name.data
|
|
+$(objpfx)tst-ns_name_compress: $(objpfx)libresolv.so
|
|
|
|
|
|
# This test case uses the deprecated RES_USE_INET6 resolver option.
|
|
diff --git a/resolv/ns_name.c b/resolv/ns_name.c
|
|
index 0d76fe53a6f2245f..08a75e2fe0b4edd6 100644
|
|
--- a/resolv/ns_name.c
|
|
+++ b/resolv/ns_name.c
|
|
@@ -475,7 +475,7 @@ ns_name_pack(const u_char *src, u_char *dst, int dstsiz,
|
|
goto cleanup;
|
|
}
|
|
n = labellen(srcp);
|
|
- if (dstp + 1 + n >= eob) {
|
|
+ if (n + 1 > eob - dstp) {
|
|
goto cleanup;
|
|
}
|
|
memcpy(dstp, srcp, n + 1);
|
|
diff --git a/resolv/tst-ns_name.c b/resolv/tst-ns_name.c
|
|
index 66d9a6666b2ebde2..65eea4c827780826 100644
|
|
--- a/resolv/tst-ns_name.c
|
|
+++ b/resolv/tst-ns_name.c
|
|
@@ -195,6 +195,7 @@ print_hex (const char *label, struct buffer buffer)
|
|
static void
|
|
run_test_case (struct test_case *t)
|
|
{
|
|
+ /* Test ns_name_unpack. */
|
|
unsigned char *unpacked = xmalloc (NS_MAXCDNAME);
|
|
int consumed = ns_name_unpack
|
|
(t->input.data, t->input.data + t->input.length,
|
|
@@ -211,16 +212,19 @@ run_test_case (struct test_case *t)
|
|
}
|
|
if (consumed != -1)
|
|
{
|
|
- if (memcmp (unpacked, t->unpack_output.data, consumed) != 0)
|
|
+ if (memcmp (unpacked, t->unpack_output.data,
|
|
+ t->unpack_output.length) != 0)
|
|
{
|
|
support_record_failure ();
|
|
printf ("%s:%zu: error: wrong data from ns_name_unpack\n",
|
|
t->path, t->lineno);
|
|
print_hex ("expected:", t->unpack_output);
|
|
- print_hex ("actual: ", (struct buffer) { unpacked, consumed });
|
|
+ print_hex ("actual: ",
|
|
+ (struct buffer) { unpacked, t->unpack_output.length });
|
|
return;
|
|
}
|
|
|
|
+ /* Test ns_name_ntop. */
|
|
char *text = xmalloc (NS_MAXDNAME);
|
|
int ret = ns_name_ntop (unpacked, text, NS_MAXDNAME);
|
|
if (ret != t->ntop_result)
|
|
@@ -243,6 +247,137 @@ run_test_case (struct test_case *t)
|
|
printf (" actual: \"%s\"\n", text);
|
|
return;
|
|
}
|
|
+
|
|
+ /* Test ns_name_pton. Unpacking does not check the
|
|
+ NS_MAXCDNAME limit, but packing does, so we need to
|
|
+ adjust the expected result. */
|
|
+ int expected;
|
|
+ if (t->unpack_output.length > NS_MAXCDNAME)
|
|
+ expected = -1;
|
|
+ else if (strcmp (text, ".") == 0)
|
|
+ /* The root domain is fully qualified. */
|
|
+ expected = 1;
|
|
+ else
|
|
+ /* The domain name is never fully qualified. */
|
|
+ expected = 0;
|
|
+ unsigned char *repacked = xmalloc (NS_MAXCDNAME);
|
|
+ ret = ns_name_pton (text, repacked, NS_MAXCDNAME);
|
|
+ if (ret != expected)
|
|
+ {
|
|
+ support_record_failure ();
|
|
+ printf ("%s:%zu: error: wrong result from ns_name_pton\n"
|
|
+ " expected: %d\n"
|
|
+ " actual: %d\n",
|
|
+ t->path, t->lineno, expected, ret);
|
|
+ return;
|
|
+ }
|
|
+ if (ret >= 0
|
|
+ && memcmp (repacked, unpacked, t->unpack_output.length) != 0)
|
|
+ {
|
|
+ support_record_failure ();
|
|
+ printf ("%s:%zu: error: wrong data from ns_name_pton\n",
|
|
+ t->path, t->lineno);
|
|
+ print_hex ("expected:", t->unpack_output);
|
|
+ print_hex ("actual: ",
|
|
+ (struct buffer) { repacked, t->unpack_output.length });
|
|
+ return;
|
|
+ }
|
|
+
|
|
+ /* Test ns_name_compress, no compression case. */
|
|
+ if (t->unpack_output.length > NS_MAXCDNAME)
|
|
+ expected = -1;
|
|
+ else
|
|
+ expected = t->unpack_output.length;
|
|
+ memset (repacked, '$', NS_MAXCDNAME);
|
|
+ {
|
|
+ enum { ptr_count = 5 };
|
|
+ const unsigned char *dnptrs[ptr_count] = { repacked, };
|
|
+ ret = ns_name_compress (text, repacked, NS_MAXCDNAME,
|
|
+ dnptrs, dnptrs + ptr_count);
|
|
+ if (ret != expected)
|
|
+ {
|
|
+ support_record_failure ();
|
|
+ printf ("%s:%zu: error: wrong result from ns_name_compress\n"
|
|
+ " expected: %d\n"
|
|
+ " actual: %d\n",
|
|
+ t->path, t->lineno, expected, ret);
|
|
+ return;
|
|
+ }
|
|
+ if (ret < 0)
|
|
+ {
|
|
+ TEST_VERIFY (dnptrs[0] == repacked);
|
|
+ TEST_VERIFY (dnptrs[1] == NULL);
|
|
+ }
|
|
+ else
|
|
+ {
|
|
+ if (memcmp (repacked, unpacked, t->unpack_output.length) != 0)
|
|
+ {
|
|
+ support_record_failure ();
|
|
+ printf ("%s:%zu: error: wrong data from ns_name_compress\n",
|
|
+ t->path, t->lineno);
|
|
+ print_hex ("expected:", t->unpack_output);
|
|
+ print_hex ("actual: ", (struct buffer) { repacked, ret });
|
|
+ return;
|
|
+ }
|
|
+ TEST_VERIFY (dnptrs[0] == repacked);
|
|
+ if (unpacked[0] == '\0')
|
|
+ /* The root domain is not a compression target. */
|
|
+ TEST_VERIFY (dnptrs[1] == NULL);
|
|
+ else
|
|
+ {
|
|
+ TEST_VERIFY (dnptrs[1] == repacked);
|
|
+ TEST_VERIFY (dnptrs[2] == NULL);
|
|
+ }
|
|
+ }
|
|
+ }
|
|
+
|
|
+ /* Test ns_name_compress, full compression case. Skip this
|
|
+ test for invalid names and the root domain. */
|
|
+ if (expected >= 0 && unpacked[0] != '\0')
|
|
+ {
|
|
+ /* The destination buffer needs additional room for the
|
|
+ offset, the initial name, and the compression
|
|
+ reference. */
|
|
+ enum { name_offset = 259 };
|
|
+ size_t target_offset = name_offset + t->unpack_output.length;
|
|
+ size_t repacked_size = target_offset + 2;
|
|
+ repacked = xrealloc (repacked, repacked_size);
|
|
+ memset (repacked, '@', repacked_size);
|
|
+ memcpy (repacked + name_offset,
|
|
+ t->unpack_output.data, t->unpack_output.length);
|
|
+ enum { ptr_count = 5 };
|
|
+ const unsigned char *dnptrs[ptr_count]
|
|
+ = { repacked, repacked + name_offset, };
|
|
+ ret = ns_name_compress
|
|
+ (text, repacked + target_offset, NS_MAXCDNAME,
|
|
+ dnptrs, dnptrs + ptr_count);
|
|
+ if (ret != 2)
|
|
+ {
|
|
+ support_record_failure ();
|
|
+ printf ("%s:%zu: error: wrong result from ns_name_compress"
|
|
+ " (2)\n"
|
|
+ " expected: 2\n"
|
|
+ " actual: %d\n",
|
|
+ t->path, t->lineno, ret);
|
|
+ return;
|
|
+ }
|
|
+ if (memcmp (repacked + target_offset, "\xc1\x03", 2) != 0)
|
|
+ {
|
|
+ support_record_failure ();
|
|
+ printf ("%s:%zu: error: wrong data from ns_name_compress"
|
|
+ " (2)\n"
|
|
+ " expected: C103\n",
|
|
+ t->path, t->lineno);
|
|
+ print_hex ("actual: ",
|
|
+ (struct buffer) { repacked + target_offset, ret });
|
|
+ return;
|
|
+ }
|
|
+ TEST_VERIFY (dnptrs[0] == repacked);
|
|
+ TEST_VERIFY (dnptrs[1] == repacked + name_offset);
|
|
+ TEST_VERIFY (dnptrs[2] == NULL);
|
|
+ }
|
|
+
|
|
+ free (repacked);
|
|
}
|
|
free (text);
|
|
}
|
|
diff --git a/resolv/tst-ns_name_compress.c b/resolv/tst-ns_name_compress.c
|
|
new file mode 100644
|
|
index 0000000000000000..300ba0bf8f0b3ad1
|
|
--- /dev/null
|
|
+++ b/resolv/tst-ns_name_compress.c
|
|
@@ -0,0 +1,75 @@
|
|
+/* Test ns_name_compress corner cases.
|
|
+ Copyright (C) 2017 Free Software Foundation, Inc.
|
|
+ This file is part of the GNU C Library.
|
|
+
|
|
+ The GNU C Library is free software; you can redistribute it and/or
|
|
+ modify it under the terms of the GNU Lesser General Public
|
|
+ License as published by the Free Software Foundation; either
|
|
+ version 2.1 of the License, or (at your option) any later version.
|
|
+
|
|
+ The GNU C Library is distributed in the hope that it will be useful,
|
|
+ but WITHOUT ANY WARRANTY; without even the implied warranty of
|
|
+ MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU
|
|
+ Lesser General Public License for more details.
|
|
+
|
|
+ You should have received a copy of the GNU Lesser General Public
|
|
+ License along with the GNU C Library; if not, see
|
|
+ <http://www.gnu.org/licenses/>. */
|
|
+
|
|
+#include <resolv.h>
|
|
+#include <stdlib.h>
|
|
+#include <support/check.h>
|
|
+#include <support/support.h>
|
|
+
|
|
+/* Check that we can process names which fit into the destination
|
|
+ buffer exactly. See bug 21359. */
|
|
+static void
|
|
+test_exact_fit (const char *name, size_t length)
|
|
+{
|
|
+ unsigned char *buf = xmalloc (length + 1);
|
|
+ memset (buf, '$', length + 1);
|
|
+ enum { ptr_count = 5 };
|
|
+ const unsigned char *dnptrs[ptr_count] = { buf, };
|
|
+ int ret = ns_name_compress (name, buf, length,
|
|
+ dnptrs, dnptrs + ptr_count);
|
|
+ if (ret < 0)
|
|
+ {
|
|
+ support_record_failure ();
|
|
+ printf ("error: ns_name_compress for %s/%zu failed\n", name, length);
|
|
+ return;
|
|
+ }
|
|
+ if ((size_t) ret != length)
|
|
+ {
|
|
+ support_record_failure ();
|
|
+ printf ("error: ns_name_compress for %s/%zu result mismatch: %d\n",
|
|
+ name, length, ret);
|
|
+ }
|
|
+ if (buf[length] != '$')
|
|
+ {
|
|
+ support_record_failure ();
|
|
+ printf ("error: ns_name_compress for %s/%zu padding write\n",
|
|
+ name, length);
|
|
+ }
|
|
+ free (buf);
|
|
+}
|
|
+
|
|
+static int
|
|
+do_test (void)
|
|
+{
|
|
+ test_exact_fit ("abc", 5);
|
|
+ test_exact_fit ("abc.", 5);
|
|
+ {
|
|
+ char long_name[]
|
|
+ = "aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa."
|
|
+ "aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa."
|
|
+ "aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa."
|
|
+ "aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa.";
|
|
+ TEST_VERIFY (strlen (long_name) == NS_MAXCDNAME - 1);
|
|
+ test_exact_fit (long_name, NS_MAXCDNAME);
|
|
+ long_name[sizeof (long_name) - 1] = '\0';
|
|
+ test_exact_fit (long_name, NS_MAXCDNAME);
|
|
+ }
|
|
+ return 0;
|
|
+}
|
|
+
|
|
+#include <support/test-driver.c>
|
|
diff --git a/resolv/tst-resolv-basic.c b/resolv/tst-resolv-basic.c
|
|
index 94b1631121de01f3..f2b1fc7490430bce 100644
|
|
--- a/resolv/tst-resolv-basic.c
|
|
+++ b/resolv/tst-resolv-basic.c
|
|
@@ -25,6 +25,12 @@
|
|
#include <support/resolv_test.h>
|
|
#include <support/support.h>
|
|
|
|
+#define LONG_NAME \
|
|
+ "aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaax." \
|
|
+ "aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaay." \
|
|
+ "aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaz." \
|
|
+ "aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaat"
|
|
+
|
|
static void
|
|
response (const struct resolv_response_context *ctx,
|
|
struct resolv_response_builder *b,
|
|
@@ -43,13 +49,15 @@ response (const struct resolv_response_context *ctx,
|
|
qname_compare = qname + 2;
|
|
else
|
|
qname_compare = qname;
|
|
- enum {www, alias, nxdomain} requested_qname;
|
|
+ enum {www, alias, nxdomain, long_name} requested_qname;
|
|
if (strcmp (qname_compare, "www.example") == 0)
|
|
requested_qname = www;
|
|
else if (strcmp (qname_compare, "alias.example") == 0)
|
|
requested_qname = alias;
|
|
else if (strcmp (qname_compare, "nxdomain.example") == 0)
|
|
requested_qname = nxdomain;
|
|
+ else if (strcmp (qname_compare, LONG_NAME) == 0)
|
|
+ requested_qname = long_name;
|
|
else
|
|
{
|
|
support_record_failure ();
|
|
@@ -69,6 +77,7 @@ response (const struct resolv_response_context *ctx,
|
|
switch (requested_qname)
|
|
{
|
|
case www:
|
|
+ case long_name:
|
|
resolv_response_open_record (b, qname, qclass, qtype, 0);
|
|
break;
|
|
case alias:
|
|
@@ -209,6 +218,10 @@ do_test (void)
|
|
"name: www.example\n"
|
|
"alias: alias.example\n"
|
|
"address: 2001:db8::2\n");
|
|
+ check_h (LONG_NAME, AF_INET,
|
|
+ "name: " LONG_NAME "\n"
|
|
+ "address: 192.0.2.20\n");
|
|
+
|
|
check_ai ("www.example", "80", AF_UNSPEC,
|
|
"address: STREAM/TCP 192.0.2.17 80\n"
|
|
"address: DGRAM/UDP 192.0.2.17 80\n"
|
|
@@ -223,6 +236,13 @@ do_test (void)
|
|
"address: STREAM/TCP 2001:db8::2 80\n"
|
|
"address: DGRAM/UDP 2001:db8::2 80\n"
|
|
"address: RAW/IP 2001:db8::2 80\n");
|
|
+ check_ai (LONG_NAME, "80", AF_UNSPEC,
|
|
+ "address: STREAM/TCP 192.0.2.20 80\n"
|
|
+ "address: DGRAM/UDP 192.0.2.20 80\n"
|
|
+ "address: RAW/IP 192.0.2.20 80\n"
|
|
+ "address: STREAM/TCP 2001:db8::4 80\n"
|
|
+ "address: DGRAM/UDP 2001:db8::4 80\n"
|
|
+ "address: RAW/IP 2001:db8::4 80\n");
|
|
check_ai ("www.example", "80", AF_INET,
|
|
"address: STREAM/TCP 192.0.2.17 80\n"
|
|
"address: DGRAM/UDP 192.0.2.17 80\n"
|
|
@@ -231,6 +251,10 @@ do_test (void)
|
|
"address: STREAM/TCP 192.0.2.18 80\n"
|
|
"address: DGRAM/UDP 192.0.2.18 80\n"
|
|
"address: RAW/IP 192.0.2.18 80\n");
|
|
+ check_ai (LONG_NAME, "80", AF_INET,
|
|
+ "address: STREAM/TCP 192.0.2.20 80\n"
|
|
+ "address: DGRAM/UDP 192.0.2.20 80\n"
|
|
+ "address: RAW/IP 192.0.2.20 80\n");
|
|
check_ai ("www.example", "80", AF_INET6,
|
|
"address: STREAM/TCP 2001:db8::1 80\n"
|
|
"address: DGRAM/UDP 2001:db8::1 80\n"
|
|
@@ -239,6 +263,10 @@ do_test (void)
|
|
"address: STREAM/TCP 2001:db8::2 80\n"
|
|
"address: DGRAM/UDP 2001:db8::2 80\n"
|
|
"address: RAW/IP 2001:db8::2 80\n");
|
|
+ check_ai (LONG_NAME, "80", AF_INET6,
|
|
+ "address: STREAM/TCP 2001:db8::4 80\n"
|
|
+ "address: DGRAM/UDP 2001:db8::4 80\n"
|
|
+ "address: RAW/IP 2001:db8::4 80\n");
|
|
|
|
check_h ("t.www.example", AF_INET,
|
|
"name: t.www.example\n"
|