Permalink
Browse files

dns: more hardening

- don't trust rr.rdlength
- don't accept replies we know are impossible for AAAA/A records
- don't try to process record types we do not know about specifically
  (this behaviour just leads to disaster)
  • Loading branch information...
1 parent 9aa28f3 commit 84ab0478f9dd7f7f8dc92aa1edaf6b71fe28035b @kaniini kaniini committed Mar 20, 2012
Showing with 7 additions and 2 deletions.
  1. +7 −2 src/dns.cpp
View
@@ -845,16 +845,21 @@ DNSInfo DNSRequest::ResultIsReady(DNSHeader &header, int length)
res[o] = 0;
break;
case DNS_QUERY_AAAA:
+ if (rr.rdlength != sizeof(struct in6_addr))
+ return std::make_pair((unsigned char *) NULL, "rr.rdlength is larger than 16 bytes for an ipv6 entry -- malformed/hostile packet?");
+
memcpy(res,&header.payload[i],rr.rdlength);
res[rr.rdlength] = 0;
break;
case DNS_QUERY_A:
+ if (rr.rdlength != sizeof(struct in_addr))
+ return std::make_pair((unsigned char *) NULL, "rr.rdlength is larger than 4 bytes for an ipv4 entry -- malformed/hostile packet?");
+
memcpy(res,&header.payload[i],rr.rdlength);
res[rr.rdlength] = 0;
break;
default:
- memcpy(res,&header.payload[i],rr.rdlength);
- res[rr.rdlength] = 0;
+ return std::make_pair((unsigned char *) NULL, "don't know how to handle undefined type (" + ConvToStr(rr.type) + ") -- rejecting");
break;
}
return std::make_pair(res,"No error");

0 comments on commit 84ab047

Please sign in to comment.