New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
sock_dns: Fix incorrect buffer bounds check #15345
Conversation
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Change looks sensible, will test. In the mean time please apply the following style nit.
|
ACK. I can reproduce the steps the testing procedures in include ../Makefile.tests_common
USEMODULE += sock_dns
USEMODULE += sock_udp
USEMODULE += gnrc_nettype_ipv6
include $(RIOTBASE)/Makefile.include |
|
Please squash |
03d64d5
to
85296ce
Compare
|
Thank you for testing! :)
Done. |
Apart from advancing the buffer by RR_TYPE_LENGTH, RR_CLASS_LENGTH, and RR_TTL_LENGTH the code also attempts to read a two byte unsigned integer using _get_short(bufpos): unsigned addrlen = ntohs(_get_short(bufpos)); The bounds check must therefore ensure that the given buffer is large enough to contain two more bytes after advancing the buffer.
|
Seems to have passed on CI, is there anything else I can do in order to get this merged? |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
My ACK was missing ;-). I tested it and the fix fixes, what it is supposed to do. ACK
Contribution description
The following bounds check performed in
sock_dnsis IMHO incorrect:RIOT/sys/net/application_layer/dns/dns.c
Lines 128 to 130 in 1de1493
It does not take into account that after the
bufposis advanced byRR_TYPE_LENGTH,RR_CLASS_LENGTH, andRR_TTL_LENGTHtwo bytes are read unconditionally using the_get_shortfunction in the following line:RIOT/sys/net/application_layer/dns/dns.c
Line 137 in 1de1493
This is currently not taken into account by the bounds check, thus resulting in a potential out-of-bounds buffer access by a maximum of two bytes.
Testing procedure
The easiest way to confirm this issue is using the following application:
Attention: This application passes data directly to
_parse_dns_reply, for this reason the static keyword must be removed from the_parse_dns_replyfunction insys/net/application_layer/dns/dns.c.Afterwards, compile the application with:
And execute it with:
This will result in the following error message:
With the proposed patch applied no error is detected by ASAN. I think the
_get_shortfunction should also be renamed to_get_u16and the issue could be avoided all together by passing buffer bounds to_get_u16and checking these bounds before performing the access in this function.Issues/PRs references
The incorrect check was introduced in #10740 for fixing #10739.