Skip to content

harden DNS resolver (insp20 branch) #2

wants to merge 4 commits into from

1 participant

kaniini commented Mar 20, 2012

these commits harden the DNS resolver to fix the CERT bug.

new changes:

  • don't explicitly trust rr.rdlength
  • validate lengths on decompression (using same behaviour as charybdis)
  • check A/AAAA replies too, as they could be exploited using similar technique
kaniini added some commits Mar 20, 2012
@kaniini kaniini dns: iterators which are integer should always be unsigned, else an i…
…nteger underflow is possible.

Signed-off-by: William Pitcock <>
@kaniini kaniini dns: reject messages with lengths larger than DNSHeader with prejudice
This also includes when decompressing name entries.
@kaniini kaniini dns: more hardening
- don't trust rr.rdlength
- don't accept replies we know are impossible for AAAA/A records
- don't try to process record types we do not know about specifically
  (this behaviour just leads to disaster)
@kaniini kaniini dns: cleanup ResultIsReady() prototype eac05f8
@kaniini kaniini closed this Mar 21, 2012
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Something went wrong with that request. Please try again.