sock_dns: fix out-of-bound errors #10740
Conversation
b7a6187 to
c05257e
Compare
|
Fixed some typos and unrelated changes that snuck in. Should be good for review now. |
|
How I sometimes wish C had exceptions. |
Those don't make your life any better and bloat the code (even Rust does something else) |
There was a problem hiding this comment.
My comments in the code are not relevant to this PR. (They are minor enough that they could be addressed in this PR easily as well, but with the urgency of this PR it might be better to make a new PR for that. I could also propose such a PR, if you want.)
So back to this PR: I do approve with the code, but I cannot test as I'm missing the hardware.
|
Addressed newest comments |
| @@ -689,6 +689,7 @@ endif | |||
|
|
|||
| ifneq (,$(filter sock_dns,$(USEMODULE))) | |||
| USEMODULE += sock_util | |||
| USEMODULE += posix | |||
There was a problem hiding this comment.
Though this dependency is also pulled in by sock_util, I think it is cleaner to add this dependency due to https://github.com/RIOT-OS/RIOT/pull/10740/files#diff-0f2b4bcad3760716a76eab7708ea0e28R18 (it just adds the posix include path).
|
@kaspar030 backport to 2018.10? |
Yeah, I seem to remember that we intent to provide security fixes for the current release? |
sys/net/application_layer/dns/dns.c
Outdated
| continue; | ||
| } | ||
| if ((addrlen != INADDRSZ) || (addrlen != IN6ADDRSZ)) { |
There was a problem hiding this comment.
This is always true. Should be &&.
There was a problem hiding this comment.
Nope, see newest version ;-)
There was a problem hiding this comment.
I see, that is even better.
There was a problem hiding this comment.
Ah wait, that doesn't work with AF_UNSPEC..
sys/net/application_layer/dns/dns.c
Outdated
| @@ -140,7 +140,7 @@ static int _parse_dns_reply(uint8_t *buf, size_t len, void* addr_out, int family | |||
| ((_type == DNS_TYPE_AAAA) && (family == AF_INET)) || | |||
| ! ((_type == DNS_TYPE_A) || ((_type == DNS_TYPE_AAAA)) | |||
| )) { | |||
| if (((bufpos - pos) + addrlen) < (bufpos - pos)) { | |||
| if (addrlen < len) { | |||
There was a problem hiding this comment.
The comparison needs to be the other way around.
There was a problem hiding this comment.
Need to go to bed -.-... Fixed.
sys/net/application_layer/dns/dns.c
Outdated
| /* skip unwanted answers */ | ||
| if ((class != DNS_CLASS_IN) || | ||
| ((_type == DNS_TYPE_A) && (family == AF_INET6)) || | ||
| ((_type == DNS_TYPE_AAAA) && (family == AF_INET)) || | ||
| ! ((_type == DNS_TYPE_A) || ((_type == DNS_TYPE_AAAA)) | ||
| )) { | ||
| if (addrlen < len) { |
There was a problem hiding this comment.
| if (addrlen < len) { | |
| if (addrlen > len) { |
|
I think this can be squashed? |
42d7cf5 to
b1de000
Compare
|
Squashed on top of original merge base. |
b1de000 to
1a61b8a
Compare
|
Fixed and squashed whitespace error reported by Murdock |
|
@riot-ci is happy. @nmeum @pyropeter @kaspar030 @maribu are you? |
1a61b8a to
2c6af6e
Compare
|
I just tried the test on native, it returns "error resolving example.org". dnsmasq seems to have gotten the request: |
|
dns.c line 124 returns |
sorry, |
|
|
||
| unsigned addrlen = ntohs(_get_short(bufpos)); | ||
| bufpos += 2; |
|
Nope, it got moved to line 158. However, I found the bug (the return in l
101 is wrong as it does not return the length of the hostname, but the
offset of the end of the hostname).
… |
|
I just tried the test on native, it returns "error resolving example.org".
Please try again with 4c507e9
|
works now. pls squash! |
4c507e9 to
894ad29
Compare
|
Squashed. Diff of force push should show no difference ;) |
|
Thanks everyone involved, and thanks @miri64 for dealing with the mess I created! Lessons I learned:
|
Welp, I merged the mess IIRC, so I was as obligated as you ;-). |
Failure tests, failure tests, failure tests. If I find some time tomorrow I will provide a PR for that (in a similar way as #10382 and #10392) before I tackle @maribu's suggestions in #10740 (review). |
|
Backport provided in #10757 |
|
(forgot about that) |
Contribution description
Fixes #10739
Testing procedure
I compiled
tests/gnrc_sock_dnswith the following patch:flashed a
samr21-xpro(alternativelypba-d-01-kw2xas described in #10739 is also possible), and connected an ethos terminal to the nodeI reset the node to get its link-local address for later.
Then I started a RADVD with the following config:
and reconfigured the correct route to the host (the preconfigured route by
start_network.shdoes not work, since uhcpc is not available on the node):sudo ip route del affe:abe::/64 sudo ip route add affe:abe::/64 via "<link-local address of node>" dev tap0Then I start the exploit script described in #10739 (or provided by https://github.com/beduino-project/exploit-riot-dns) and reset the node again to start the test. Without this PR the node will crash (note that the exploit described in #10739 does not work but only crashes the node since due to the usage of
ethosthe binary is different), withit it will just reporterror resolving example.org.I also tested expected operation as described in the application's README.
Issues/PRs references
Fixes #10739.